Name of Your Organization:

High-Tech Bridge SA

Web Site:

http://www.htbridge.com/

Compatible Capability:

ImmuniWeb

Capability home page:

https://www.htbridge.com/immuniweb/

General Capability Questions

Product Accessibility <CR_2.4>

Provide a short description of how and where your capability is made available to your customers and the public (required):

ImmuniWeb is publicly available on ImmuniWeb Portal, https://portal.htbridge.com, for any person who has a web browser and connection to the Internet.

Mapping Questions

Map Currency Indication <CR_5.1>

Describe how and where your capability indicates the most recent CVE version used to create or update its mappings (required):

Upon ImmuniWeb security assessment completion customer receives assessment report in PDF format. In the report all the detected vulnerabilities are presented in a table format with various technical fields. All the vulnerabilities that are publicly known and have CVE ID assigned will have the following field:

Vulnerability CVE ID: CVE ID-HERE

In case if CVE ID is not assigned for a vulnerability, the value of this filed will be "Not Assigned".

It is important to mention that some of the detected vulnerabilities (for example in in-house web applications and private software) don’t have and quite probably will never have a CVE ID.

Map Currency Update Approach <CR_5.2>

Indicate how often you plan on updating the mappings to reflect new CVE versions and describe your approach to keeping reasonably current with CVE versions when mapping them to your repository (required):

ImmuniWeb provides customer with a PDF report that is up2date on the date of delivery. All CVE IDs mentioned in the report are up2date on the date of delivery. CVE IDs are manually verified by security auditor to assure their accuracy and actuality.

Map Currency Update Time <CR_5.3>

Describe how and where you explain to your customers the timeframe they should expect an update of your capability’s mappings to reflect newly available CVE content (required):

Upon receipt of ImmuniWeb security assessment report customer may refer to Vulnerability Databases, for example to OSVDB (http://osvdb.org) with which High-Tech Bridge collaborates, to get the latest information about CVE IDs, CVE content and vulnerabilities statuses.

The report itself is not updatable after delivery due to the nature of the service. However, we do our best efforts to include all information about vulnerability (such as vendor patch or any unofficial solutions, VDBs entireties, etc.) and CVE content into report that is publicly available on the date of ImmuniWeb security assessment.

Map Content Selection Criteria <CR_5.4>

Describe the criteria used for determining the relevance of a given CVE Identifier to your Capability (required):

CVE ID is manually verified by ImmuniWeb auditors on various trustable sources, such as NIST and various Vulnerabilities Databases.

Map Currency Update Mechanism <CR_5.4>

Describe the mechanism used for reviewing CVE for content changes (required):

As already mentioned above, CVE IDs indicated in ImmuniWeb PDF report are not updatable due to the nature of the service. Therefore there is no need for a procedure to monitor such changes.

However, in the assessment report customer will be provided with hyperlinks to trustable web resources that describe vulnerabilities with assigned CVE IDs, which are supposed to be updated if the customer visits them in the future.

Please refer to <CR_5.3> for more details.

Map Content Source <CR_5.5>

Describe the source of your CVE content (required):

Main sources are NIST and various Vulnerabilities Databases.

If the vulnerability was discovered by High-Tech Bridge Security Research Lab (https://www.htbridge.com/advisory), which is also CVE-Compatible since 2012, we have CVE ID received directly from CVE Numbering Authority.

Documentation Questions

CVE and Compatibility Documentation<CR_4.1>

Provide a copy, or directions to its location, of where your documentation describes CVE and CVE compatibility for your customers (required):

We believe that the best and the most appropriate resource with CVE documentation that can provide our customers with the most complete, accurate and latest information about CVE is the official CVE website. Each ImmuniWeb security assessment report contains a hyperlink to it.

CVE-Compatibility is described on ImmuniWeb web page, https://www.htbridge.com/immuniweb/, also providing links to the official CVE website.

Documentation of Finding Elements Using CVE Names <CR_4.2>

Provide a copy, or directions to its location, of where your documentation describes the specific details of how your customers can use CVE names to find the individual security elements within your capability’s repository (required):

ImmuniWeb customers can use default built-in Adobe Reader (or any other PDF document reading software) search function to search vulnerabilities in the report by CVE ID. This feature is obvious and does not require specific documentation.

Documentation of Finding CVE Names Using Elements <CR_4.3>

Provide a copy, or directions to its location, of where your documentation describes the process a user would follow to find the CVE names associated with individual security elements within your capability’s repository (required):

Same answer as in <CR_4.2>.

Type-Specific Capability Questions

Service Questions

Service Coverage Determination Using CVE Names <CR_A.3.1>

Give detailed examples and explanations of the different ways that a user can use CVE names to find out which security elements are tested or detected by the service (i.e. by asking, by providing a list, by examining a coverage map, or by some other mechanism) (required):

Each vulnerability in ImmuniWeb security assessment report is presented in a table that has the following fields:

  • CVE ID
  • CWE-ID
  • CVSSv2 Base Score

These fields make obvious which security tests were performed by ImmuniWeb.

A complete list of detectable security vulnerabilities is available on ImmuniWeb webpage, https://www.htbridge.com/immuniweb/technical-specifications.html#detected_vulnerabilities, where they are classified by CWE-ID.

Detailed information about each vulnerability type that is detected by ImmuniWeb is publicly available in our CWE Glossary, https://www.htbridge.com/vulnerability/, which is also mentioned in the report.

Finding CVE Names in Service Reports Using Elements <CR_A.3.2>

Give detailed examples and explanations of how, for reports that identify individual security elements, the user can determine the associated CVE names for the individual security elements in the report (required):

In ImmuniWeb security assessment report for each detected security vulnerability there is field in the table named "Vulnerability CVE ID" that contains CVE ID if it is assigned by CVE numbering authority. See <CR_5.1> for more details.

Media Questions

Electronic Document Format Info <CR_B.3.1>

Provide details about the different electronic document formats that you provide and describe how they can be searched for specific CVE-related text (required):

ImmuniWeb security assessment report is provided in PDF format only.

Built-in search functions of PDF document reading software can be easily used to search vulnerabilities by specific CVE ID.

Electronic Document Listing of CVE Names <CR_B.3.2>

If one of the capability’s standard electronic documents only lists security elements by their short names or titles provide example documents that demonstrate how the associated CVE names are listed for each individual security element (required):

ImmuniWeb report is well structured, and each table with vulnerability description is located on a separate page of the PDF document. As already mentioned above, each vulnerability description is presented in a table format that always contain highly visible "Vulnerability CVE ID" field.

Therefore, customers will be able to see CVE ID associated with vulnerability without any efforts (in case if CVE ID is assigned by CVE numbering authority to the vulnerability and disclosed by the date of security assessment).

Graphical User Interface (GUI)

Finding Elements Using CVE Names Through the GUI <CR_B.4.1>

Give detailed examples and explanations of how the GUI provides a "find" or "search" function for the user to identify your capability’s elements by looking for their associated CVE name(s) (required):

It depends on the software that user uses to read ImmuniWeb security assessment report that is delivered in PDF format.

For Adobe Reader it’s enough just to press "CTRL+F" key combination to get a search input box, which can be used to search vulnerabilities by CVE ID or any other search parameter.

GUI Element to CVE Name Mapping <CR_B.4.2>

Briefly describe how the associated CVE names are listed for the individual security elements or discuss how the user can use the mapping between CVE entries and the capability’s elements, also describe the format of the mapping (required):

The question is answered in details in <CR_B.3.2>.

Questions for Signature

Statement of Compatibility <CR_2.7>

Have an authorized individual sign and date the following Compatibility Statement (required):

"As an authorized representative of my organization I agree that we will abide by all of the mandatory CVE Compatibility Requirements as well as all of the additional mandatory CVE Compatibility Requirements that are appropriate for our specific type of capability."

Name: Ilia Kolochenko

Title: CEO

Statement of Accuracy <CR_3.4>

Have an authorized individual sign and date the following accuracy Statement (recommended):

"As an authorized representative of my organization and to the best of my knowledge, there are no errors in the mapping between our capability’s Repository and the CVE entries our capability identifies."

Name: Ilia Kolochenko

Title: CEO

Statement on False-Positives and False-Negatives <CR_A.2.8 and/or CR_A.3.5>

FOR TOOLS ONLY - Have an authorized individual sign and date the following statement about your tools efficiency in identification of security elements (required):

"As an authorized representative of my organization and to the best of my knowledge, normally when our capability reports a specific security element, it is generally correct and normally when an event occurs that is related to a specific security element our capability generally reports it."

Name: Ilia Kolochenko

Title: CEO

Page Last Updated or Reviewed: August 10, 2017