2000 News & Events (Archive)

Videocast of eWeek Magazine Interview with CVE Co-Creator, Steve Christey, Now Available

The Security News section of a recent issue of eWeek magazine included an article entitled "Security core: Best practices-Industry elite launch far-reaching standards process." The article described the Security Vulnerability Summit held in early November that was co-hosted by the magazine and the security company Guardent Inc., and included excerpts from an interview with MITRE information security engineer and CVE co-creator, Steve Christey. You may watch a videocast of the interview, or review a transcript.

Two Join CVE Editorial Board

Two new members have been added to the CVE Editorial Board. These new members are:

Other CVE Editorial Board Changes

Marc Dacier of IBM Research has left the CVE Editorial Board. He has been replaced by Larry Oliver, as noted above. Troy Bollinger of IBM Research also remains as a Board member. See the CVE Editorial Board page for the most up-to-date list of Board members.

SecurityWatch.com Makes CVE Compatibility Declaration

SecurityWatch.com has declared that its Vulnerability Knowledge Database is CVE-compatible. For additional information about this and other CVE-compatible products, visit the CVE-Compatible Products page.

Network Security Systems Makes CVE Compatibility Declarations

Network Security Systems has declared that its Vulnerability Reporting and Testing tool and Network Hardware Appliance are CVE-compatible. For additional information about these and other CVE-compatible products, visit the CVE-Compatible Products page.

CVE Included in Boardwatch Magazine Article

CVE was included in a recent article in ISPWorld.com's Boardwatch magazine, entitled "Network Vulnerability Scanning, Keeping Your Networks Buttoned Up". The article referred to CVE in a section on evaluating vulnerability scanning results, in which the author states: "Another popular feature is the use of the Common Vulnerabilities and Exposures (CVE) list maintained by MITRE (see sidebar). Being able to reference a standard name for a particular vulnerability or exposure means network scanner users can more confidently apply patches or others fixes." CVE is featured in this sidebar, which describes what CVE is and the benefits of CVE-compatible tools. It is in the sidebar that the author refers to CVE as "an invaluable framework that network security professionals can use as a common language for identifying and talking about network vulnerabilities."

CVE Featured in eWeek Magazine Article

CVE was featured in a recent article in eWeek magazine on Zdnet.com. The article, entitled "CVE: An alert by any other name", described what CVE is and the benefits of CVE to the IT security community, discussed the new subscriber mailing list for current CVE announcements, and included the CVE Web site address. The article also noted that CVE has grown from 321 entries at inception in September 1999 to 1,077 entries, with 850 candidates pending in the current version. In her conclusion, the author described CVE as "The lingua franca for vulnerabilities: Instead of 10 names for the same vulnerability, a single CVE name will help everybody speak the same language."

CVE Candidate Number Included in IBM ERS Advisory Service Report

A CVE candidate number was included in a recent advisory service report from the IBM Emergency Response Service (ERS). The report, ERS-FYI-E01-2000:078.1, identified CAN-2000-0844.

CVE Candidate Number Included in SGI Security Advisory

SGI recently released a security advisory that included a CVE candidate number. The advisory, "InPerson Vulnerabilities, 20001101-01-I" identified CAN-2000-0799 and offered a URL to CVE for more information.

Three Join CVE Editorial Board

Three new members have been added to the CVE Editorial Board. These new members are:

Other CVE Editorial Board Changes

Patrick Heim, formerly of Hiverworld, has left the CVE Editorial Board. Tom Stracener remains as the Hiverworld representative. In addition, Marvin Christensen, formerly of IBM ERS, and Steve Schall, formerly of intrusion.com, have also left the Board. See the CVE Editorial Board page for the most up-to-date list of Board members.

CVE Exhibits at FedCIRC Conference, November 7-8

MITRE hosted a CVE exhibitor booth at FEDCIRC Conference, November 7-8, 2000, at the University of Maryland, University College, MD. Federal Computer Incident Response Capability (FedCIRC) is the central coordination and analysis facility that deals with computer security-related issues affecting the civilian agencies and departments of the Federal Government. The conference was successful and introduced CVE and CVE-compatible products to a variety of representatives from government and academia, as well as other computer security specialists.

CVE Hosts Booth at SANS Network Security 2000, October 15-22

MITRE hosted a CVE exhibitor booth at SANS Network Security 2000, October 15-22, 2000 in Monterey, CA. The conference, at which CVE promoted its 1,000 entries milestone celebration, was successful and introduced CVE and CVE-compatible products to a diverse audience of security and audit professionals and system and network administrators.

CVE Hosts Booths at 23rd National Information Systems Security Conference, October 16-19

MITRE hosted a CVE exhibitor booth at the 23rd National Information Systems Security Conference, October 16-19, 2000 in Baltimore, MD. CVE promoted its 1,000 entries milestone celebration at the conference and also introduced CVE and CVE-compatible products to a variety of information security professionals, network managers, technology directors, chief information officers, engineering managers, and other representatives from government, industry, and academia across the country and around the world. The conference was co-sponsored by the National Institute of Standards and Technology (NIST) and the National Computer Security Center.

CVE Achieves 1,000 Entries Milestone!

CVE has achieved a major milestone of 1,000 official entries. Since its inception in September 1999, CVE has grown from 321 entries to more than 1,077, with another 700 candidates currently pending. The milestone is also further evidence that the information security community has embraced the CVE Initiative. To date, 26 developers of vulnerability databases and tools have declared that their products are or will be CVE-compatible. Read the MITRE news release.

Troy Bollinger joins CVE Editorial Board

Troy Bollinger of IBM is the newest member of the CVE Editorial Board.

CVE to Host Booth at SANS Network Security 2000 October 15-22

MITRE is scheduled to host a CVE exhibitor booth at SANS Network Security 2000 October 15-22, 2000 at the Doubletree Marriott and Monterey Conference Center in Monterey, CA. This sixth annual conference on securing networks and systems is targeted to security and audit professionals and system and network administrators.

CVE to Host Booth at 23rd National Information Systems Security Conference October 16-19

MITRE is scheduled to host a CVE exhibitor booth at the 23rd National Information Systems Security Conference October 16-19, 2000 at the Baltimore, MD Convention Center, in Baltimore, MD. The conference is co-sponsored by the National Institute of Standards and Technology (NIST) and the National Computer Security Center, and is targeted to information security professionals, network managers, technology directors, chief information officers, engineering managers, and other representatives from government, industry, and academia across the country and around the world. The exposition is sponsored by AFCEA.

CVE Launches New Web Site

CVE has upgraded its Web site with new information and new functionality to better serve our users. New information includes a revised "Get CVE" page for viewing, downloading, or searching the CVE list; a description of the CVE naming process; an updated "CVE-Compatible Products" page; and free e-newsletters, among other improvements.

New features include:

CVE Candidate Number Included in CERT/CC Security Advisory

CERT/CC recently released a security advisory that included a CVE candidate number. The advisory, "CERT Advisory CA-2000-17," identified CAN-2000-0666 and offered a URL to CVE for more information.

CVE Cited in Article on Security Strategies in InfoSecuritymag.com

CVE received a strong mention in a recent article on InfoSecuritymag.com. The article, entitled "Secure strategies: A year-long series on the fundamentals of information systems security", covers the topic of vulnerability assessment and is part two of a four-part series on information systems security testing. The author cited CVE as "trying to bring some order to the world of security vulnerabilities," described what CVE is and is not, provided a good overview of the basic requirements for CVE-compatible products, and included the CVE Web site address.

Editorial Board Holds Meeting

The CVE Editorial Board held a face-to-face meeting on August 14-15, 2000 in Denver, Colorado. Topics of discussion included a process for rejecting or modifying CVE candidates and entries, guaranteeing the validity of candidates before they are accepted into CVE, the use of CVE references, issues related to producing a Common Intrusion Event List (CIEL) to provide a naming standard for IDS events, CVE compatibility, establishing software vendor liaisons to the Board, voting on candidates, and content decisions.

Tivoli Makes CVE Compatibility Declaration

Tivoli Systems, Inc., an IBM company, has declared that their SecureWay Risk Manager is CVE-compatible. For additional information about this and other CVE-compatible products, visit the CVE-Compatible Products page.

CVE Referenced in Computerworld Article

CVE was referenced in a recent article on Computerworld.com entitled, "Security, the Way It Should Be". The article discusses various approaches to improving security and in a section on code review refers to CVE as "a widely accepted archive of security problems found in software and hardware" along with a link to the CVE Web site.

CVE Version 20000712 Released

CVE version 20000712 has been released. It has 115 new entries, for a total of 815 entries. In addition, it includes several entries for security problems whose initial public announcement contained candidate numbers: CVE-2000-0249, CVE-2000-0303, CVE-2000-0304, CVE-2000-0305, CVE-2000-0350, and CVE-2000-0376. More informationfor this new version is available.

Editorial Board Holds Teleconference

The Editorial Board held a teleconference on June 29, 2000, with eight Board members participating. Topics included the daily operations of the Editorial Board, the role of MITRE in conducting Board operations, how MITRE converts raw vulnerability information into candidates, CVE accuracy and timeliness, content decisions, candidate voting, and upcoming Web site enhancements.

CVE Briefs at Canadian Information Technology Security Symposium

MITRE briefed CVE at the annual Canadian Information Technology Security Symposium on June 22, 2000, in Ottawa, Canada. The presentation introduced CVE to approximately 200 representatives from the Canadian government, law enforcement, other international organizations, and critical information infrastructure protection experts. The talk went well and was a good opportunity to educate this new, international audience with CVE. The symposium, itself, had approximately 600 attendees and was sponsored by the Communications Security Establishment (CSE), the Canadian Federal Government agency responsible for information technology security. MITRE also enjoyed the opportunity to visit with Editorial Board member, Ken Armstrong, of EWA-Canada/CanCERT.

CVE Featured in Recent Securitywatch.com News Article

CVE was the feature story in a May 24, 2000 article on Securitywatch.com. The article, "What's in a name? CVE attempts to cure the vulnerability babel,"provides a good overview of what CVE is and is not, a description of what goes on behind the scenes for a candidate to become a CVE entry, and information on how to be involved.

Patrick Heim joins CVE Editorial Board

Patrick Heim of Hiverworldis the newest member of the CVE Editorial Board.

CVE Hosts Booth at ISSA Security Conference on June 8

MITRE hosted a CVE exhibitor booth at the New England ISSA Security Conference on June 8, 2000, at Boston College, Chestnut Hill, MA. The conference was sponsored by the New England Chapter of the Information Systems Security Association (ISSA). ISSA is an international organization of information security professionals that promotes communication regarding information security management and practices. The conference was successful and introduced CVE to a diverse audience of attendees from financial institutions and other corporations, educational institutions, and government agencies.

CVE Version 20000602 Released

CVE version 20000602 has been released. It has 56 new entries, for a total of 700 entries.

CVE Names Included in Top Internet Security Threats List

The Consensus List of The Top Internet Security Threats, a list of the most critical problem areas in Internet security, was released on June 1, 2000. The list includes CVE names to uniquely identify the vulnerabilities it describes, which will help system administrators to use CVE-compatible products and databases to help make their networks more secure.

Marcus Ranum, Ken Williams join CVE Editorial Board

Marcus Ranum of NFR and Ken Williams of eSecurityOnline.com have joined the CVE Editorial Board.

More Vulnerability Databases Provided to CVE

Six additional organizations are contributing their vulnerability databases to assist us in creating more candidates for CVE. Symantec, AXENT, The Nessus Project, PGP Security, BindView, and Cisco have all provided MITRE with items from their vulnerability databases. These items will help MITRE to create the next set of candidates for older security issues that have not been added to CVE yet, and to extend the set of references for existing candidates and entries.

CVE Candidate Numbers Included in Recent Security Advisories

BindView and Rain Forest Puppyrecently released security advisories that included CVE candidate numbers. The BindView advisory described CAN-2000-0305, and RFP's advisory identified CAN-2000-0350.

CVE Hosts Booth at 1st ICCC Conference May 23-25, 2000

MITRE hosted an exhibitor booth for CVE at the First International Common Criteria Conference (ICCC)on May 23-25, 2000, at the Baltimore Convention Center in Baltimore, MD. The conference was sponsored by the National Information Assurance Partnership (NIAP), a collaboration between national institute of standards and technology (NIST) and the National Security Agency (NSA). The conference was attended by more than 600+ information security and other professionals, introducing CVE to a wider audience of information technology (IT) security testing laboratories, product and system evaluators, validators and certifiers, systems accreditors, etc.

Vulnerability Databases Providing More Candidates for CVE

Various organizations are contributing their vulnerability databases so that we can create more candidates for CVE. Security Focus, Neohapsis, ISS, and Harris have all provided MITRE with items from their vulnerability databases. These will help MITRE to create the next set of candidates for older security issues that have not been added to CVE yet, and to extend the set of references for existing candidates and entries.

CVE Referenced in Recent Edition of InfoWorld

CVE was referenced as "attempting to bring order to the madness that ravages the Internet every day" in a column about good vulnerability information sources in the May 12, 2000 edition of InfoWorld. The Security Watch column, entitled "Your Best Defense Against Hack Attacks: Good Information and an Insurance Policy," also included a link to the CVE Web site.

CVE to Brief at Canadian Information Technology Security Symposium, Ottawa, on June 21

MITRE is currently scheduled to brief CVE at the annual Canadian Information Technology Security Symposiumscheduled for June 19-23, 2000, Ottawa, Canada. The conference is sponsored by the Communications Security Establishment (CSE), the Canadian Federal Government agency responsible for information technology security, and will focus on PKI issues and solutions, e-commerce/e-business, critical information infrastructure protection, intrusion detection, and security in open source software.

AXENT Technologies, Inc. now has several tools that are CVE-compatible. You can view the AXENT entries on the CVE-Compatible Products page.

Scott Lawler from the US Department of Defense CERT (DOD-CERT) has joined the Editorial Board.

CVE to Host Booth at ISSA Security Conference on June 8

MITRE is currently scheduled to host a CVE exhibitor booth at the New England ISSA Security Conference scheduled for June 8, 2000, on the main campus of Boston College in Newton, MA. The conference is sponsored by the New England Chapter of the Information Systems Security Association (ISSA). ISSA is an international organization of information security professionals that promotes interaction and communication among members regarding information security management and practices. Members include numerous international and U.S. financial institutions and other corporations, educational institutions, and government agencies.

Advanced Research Corporation (ARC) has announced that their vulnerability assessment tool, SARA, is now CVE-compatible.

You can view the entry on the CVE-Compatible Products page.

CVE to Brief at 1st International Common Criteria Conference May 23-25, 2000

MITRE is currently scheduled to brief CVE and host an exhibitor booth at the First International Common Criteria Conference (ICCC), scheduled for May 23-25, 2000, at the Baltimore Convention Center in Baltimore, MD. The conference is sponsored by the National Information Assurance Partnership (NIAP), a collaboration between national institute of standards and technology (NIST) and National Security Agency (NSA). For more information about the conference, visit the conference home page and the FBC/FITS Federal On-Site Technology Expositions page.

CVE Wins Technology Leadership Award, March 24, 2000

CVE was awarded the SANS 2000 Security Technology Leadership Award at the SANS Joint Computer Security Conference in Orlando, FL. The award was presented to MITRE's CVE team for "establishing, nurturing and sustaining the industry-wide cooperative Common Vulnerabilities & Exposures project." Read the MITRE press release.

MITRE Hosts CVE BOF at SANS 2000, March 23, 2000

MITRE hosted a CVE 'birds of a feather' reception on Thursday evening at the SANS 2000 Joint Computer Security Conference in Orlando, FL. This "meet and greet" event hosted more than 100+ information security experts and other conference attendees. A short briefing and question and answer session were well attended. CVE was represented by the MITRE team, along with representatives of several member organizations of the CVE Editorial Board. MITRE's CVE team also received the SANS 2000 Security Technology Leaderhip Award at the event.

MITRE Presents CVE Briefing at InfraGard Meeting, March 17, 2000

MITRE presented a briefing on CVE to the New England chapter of InfraGard on March 17th. InfraGard is a cooperative effort to exchange information between the FBI, other government agencies, academic institutions, and the business community about network security, illegal intrusions, disruptions, and exploited vulnerabilities of information systems. Once implemented, InfraGard will consist of an alert network and a Web site with information related to computer security and information infrastructure protection. The briefing was well received, and we have been invited to attend another meeting in the near future.

MITRE Presents CVE Briefing to ISSA, January 27, 2000

MITRE presented a briefing on the benefits of CVE to the New England Chapter of the Information Systems Security Association (ISSA)at their January meeting at Fleet Boston Financial in Boston. ISSA is an international organization of information security professionals that promotes interaction and communication among members regarding information security management and practices. Members include numerous international and U.S. financial institution and other corporations, educational institutions, and government agencies. On the strength of this presentation, CVE was invited to exhibit at the New England ISSA Security Conference on June 8, 2000 at Boston College in Chestnut Hill, MA.

Read MITRE's CVE Press Releases To-Date, Q1 2000

MITRE Employees Receive SANS Security Technology Leadership Awards, March 2000

MITRE's Information Security Dictionary Reaches Important Milestones/Microsoft, Ernst & Young Join Editorial Board, February 2000

MITRE and Top Security Organizations Launch First Public Dictionary of Computer Vulnerabilities to Boost Cyber-Defense, September 1999.

The CVE Initiative has achieved a new milestone by incorporating CVE candidate numbers into security advisories. ISS recently published two security advisories that include CVE candidate names. One is related to CAN-2000-0249and the other is related to CAN-2000-0248.

CVE version 20000425 will be published to the CVE Web site in the next few days. It has 34 new entries, for a total of 644 entries.

CVE version 20000418 will be published to the CVE Web site in the next few days. It has 31 new entries, for a total of 610 entries.

CVE was the winner of the SANS 2000 Security Technology Leadership Award.

Casper Dik from Sun Microsystems has joined the Editorial Board.

The Nessus Project's (Renaud Deraison & Jordan Hrycaj) Nessus Security Tool is now CVE-compatible. You can view the entry on the CVE-Compatible Products page.

CVE version 20000410 has been released. It has 23 new entries, for a total of 579 entries.

A new addition has been made to the CVE-Compatible Products page: The National Institute of Standards and Technology I-CAT tool.

Drew Williams from BindView Corporation has provided CVE with a supporting quote on the What Others Are Saying page. His supporting quote can be viewed here .

CVE Version 20000322 has been released, with 53 new entries. This version of CVE has 556 entries.

A new addition has been made to the CVE-Compatible Products page: PGP Security, Network Associates' CyberCop Monitor and CyberCop Scanner.

The Editorial Board met at AXENT near Salt Lake City, Utah, on March 9-10. They discussed voting to approve candidates, issues related to Board membership, CVE Compatibility, and content decisions.

A new addition has been made to the CVE-Compatible Products page: World Wide Digital Security's Security Administrator's Integrated Network Tool (SAINT).

Marvin Christensen from IBM Emergency Response Service (ERS) has joined the Editorial Board.

There are four new additions to the Editorial Board; David LeBlanc from Microsoft, Ronson Nguyen from Ernst & Young, Jim Magdych from NAI, and Steve Schall from ODS.

The official CVE list has surpassed the 500 entry mark! CVE now lists 503 security vulnerabilities and exposures. The new version of CVE can be searched and is available for download.

The CVE candidate list is now publicly available! Candidates are items that are actively being considered for inclusion into CVE by the CVE Editorial Board. The current candidate list contains over 554 entries. You can learn more about candidates, search the candidates list, and download the current candidate list.

There are three new additions to the CVE-Compatible Products page: CYRANO, Ernst & Young, and Max Vision Network Security/Whitehats. Check them out.

Max Vision from Max Vision Network Security/Whitehats has provided CVE with a supporting quote on the What Others Are Saying page. His supporting quote can be viewed here.

The CVE list has been updated! CVE now lists 473 security vulnerabilities and exposures. The new version of CVE can be searched and is available for download.