|
|
High-Tech Bridge SA
High-Tech Bridge Security Advisories
Provide a short description of how and where your capability is made available to your customers and the public (required):
The CVE capability is publicly available on our website: https://www.htbridge.com/advisory/.
Describe how and where your capability indicates the most recent CVE version used to create or update its mappings (required):
As, soon as we receive a CVE ID for new Security Advisory we update related advisory in the next 8 working hours (usually faster).
Example: https://www.htbridge.com/advisory/HTB23096
Until Public Disclosure date "CVE Reference" field of the advisory will have "Assigned (To be disclosed on $public_date)" value.
On Public Disclosure date [at 12.00AM, GMT+1] we disclose advisory content with CVE ID visible to everybody.
Indicate how often you plan on updating the mappings to reflect new CVE versions and describe your approach to keeping reasonably current with CVE versions when mapping them to your repository (required):
Our technical team is joinable by advisory@htbridge.com email, and is ready to react rapidly on any demand coming from MITRE/CVE regarding updating assigned CVE ID(s).
Describe how and where you explain to your customers the timeframe they should expect an update of your capability’s mappings to reflect newly available CVE content (required):
Response time of our technical team is less than 8 working hours. This time is usually sufficient to apply any change or update received from MITRE/CVE.
Describe the criteria used for determining the relevance of a given CVE Identifier to your Capability (required):
We publish only our own security advisories (HTB Security Advisories) with a CVE ID received directly from MITRE/CVE. Any necessary updates take less than 8 working hours.
Describe the mechanism used for reviewing CVE for content changes (required):
Same as above.
Describe the source of your CVE content (required):
Security Advisories are provided by our internal research team (High-Tech Bridge Security Research Lab), CVE IDs are provided directly by MITRE/CVE.
Provide a copy, or directions to its location, of where your documentation describes CVE and CVE compatibility for your customers (required):
Disclosed security advisories always provide a description of CVE in "References" field:
"[3] Common Vulnerabilities and Exposures (CVE) — https://cve.mitre.org/ — international in scope and free for public use, CVE® is a dictionary of publicly known information security vulnerabilities and exposures."
On "Related Links" section on every webpage in /advisory/ section of our website we have a link "About CVE®" pointing to https://cve.mitre.org/about/index.html "About CVE" webpage. We consider this webpage the most appropriate, complete, and useful for users looking for CVE-related documentation.
Provide a copy, or directions to its location, of where your documentation describes the specific details of how your customers can use CVE names to find the individual security elements within your capability’s repository (required):
On the main webpage of our Security Advisories we have a search function.
Search can be performed by a) CVE ID b) HTB-ID c) Advisory Name.Example: https://www.htbridge.com/advisory/?cveid=CVE-2012-2762&htbid=&vulnname=&action=search will display security advisory with CVE Reference CVE-2012-2762.
Provide a copy, or directions to its location, of where your documentation describes the process a user would follow to find the CVE names associated with individual security elements within your capability’s repository (required):
Search function on the main webpage of our Security Advisories is designed in very comprehensible and simple way.
Its usage is obvious and does not require additional documentation:
https://www.htbridge.com/advisory/
Give detailed examples and explanations of how a "find" or "search" function is available to the user to locate tasks in the online capability by looking for their associated CVE name or through an online mapping that links each element of the capability with its associated CVE name(s) (required):
As already explained in CR_4.3 section, the main webpage of our Security Advisories provides users with a search mechanism that enables everybody to search advisories by specific CVE ID.
Provide a detailed description of how someone can use your "URL template" to interface to your capability’s search function (recommended):
The Search function allows displaying all security advisories with a specific CVE ID.
The following URL enables search by CVE ID for any user: https://www.htbridge.com/advisory/?cveid=TYPE_CVE ID-HERE&htbid=&vulnname=&action=search
If the URL template is for a CGI program, does it support the HTTP "GET" method? (recommended):
Yes, see above.
Give detailed examples and explanations of how, for reports that identify individual security elements, the online capability allows the user to determine the associated CVE names for the individual security elements in the report. (required):
Each security element (security element is HTB Security Advisory in our case) has a "CVE Reference" field with CVE ID(s) related to this specific advisory.
Any HTB Security Advisory can be used as an example:
https://www.htbridge.com/advisory/HTB23084
If details for individual security elements are not provided, give examples and explanations of how a user can obtain a mapping that links each element with its associated CVE name(s), otherwise enter N/A (required):
N/A
Provide details about the different electronic document formats that you provide and describe how they can be searched for specific CVE-related text (required):
All security advisories are provided in HTML format on the main page of HTB Security Advisories (https://www.htbridge.com/advisory) and in RSS format (http://feeds.feedburner.com/htbridge_disclosed_advisories).
Relevant CVE ID(s) are always indicated in the "CVE Reference" field for both formats.
If one of the capability’s standard electronic documents only lists security elements by their short names or titles provide example documents that demonstrate how the associated CVE names are listed for each individual security element (required):
As mentioned above, each security advisory webpage has related CVE ID(s) and name displayed.
Main page of Security Advisories, preview of any advisory and preview in Search results display relevant CVE ID(s) and name(s): https://www.htbridge.com/advisory/.
Give detailed examples and explanations of how the GUI provides a "find" or "search" function for the user to identify your capability’s elements by looking for their associated CVE name(s) (required):
Search function is described in CR_4.3 section. It provides any user with a GUI (input boxes "CVE ID", "HTB-ID", "Name" and "Search" button) with a search function and ability to find security advisories by CVE ID and name.
Briefly describe how the associated CVE names are listed for the individual security elements or discuss how the user can use the mapping between CVE entries and the capability’s elements, also describe the format of the mapping (required):
On Public Disclosure date relevant CVE ID(s) and name(s) are visible in all advisories where applicable.
Provide details about the different electronic document formats that you provide for exporting or accessing CVE-related data and describe how they can be searched for specific CVE-related text (recommended):
Security Advisories are available both in HTML and RSS formats (see above). Relevant CVE ID(s) and name(s) are always available in "CVE Reference" field where applicable.
Have an authorized individual sign and date the following Compatibility Statement (required):
"As an authorized representative of my organization I agree that we will abide by all of the mandatory CVE Compatibility Requirements as well as all of the additional mandatory CVE Compatibility Requirements that are appropriate for our specific type of capability."
Name: Ilia Kolochenko
Title: CEO
Have an authorized individual sign and date the following accuracy Statement (recommended):
"As an authorized representative of my organization and to the best of my knowledge, there are no errors in the mapping between our capability’s Repository and the CVE entries our capability identifies."
Name: Ilia Kolochenko
Title: CEO