[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Official Vendor Statement Service for the set of CVE Vulnerabilities

CVE Editorial Board,


Several months ago, Red Hat approached NIST with the idea of creating a public forum for the software industry to comment upon the set of CVE vulnerabilities applicable to their products. Today, Red Hat released a press announcement on the service (attached) and I sent out an announcement on the National Vulnerability Database e-mail list (below). It is my hope that the software development community will take this opportunity to comment upon the CVE vulnerabilities related to their products and that third-party IT security vendors will import the official vendor statements into their products and services. We hope that this editorial board will find the service useful and will participate as early adopters of the service. Please send e-mail to nvd@nist.gov to learn how to participate.



Peter Mell

National Vulnerability Database Program Manager





NVD is pleased to announce a new service whereby we provide the software industry an open forum to comment upon the set of CVE vulnerabilities discovered in their products. Software vendors have the deepest knowledge about their products and thus are uniquely positioned to comment on their vulnerabilities.


The set of “official vendor statements” are available as an XML feed from the NVD download page, http://nvd.nist.gov/download.cfm. We encourage other vulnerability databases and services to incorporate these vendor statements alongside their CVE vulnerability descriptions. The statements are also available on the respective NVD vulnerability summary pages (e.g., http://nvd.nist.gov/nvd.cfm?cvename=CVE-2006-4124).


Software development organizations can submit official statements by contacting NVD staff (nvd@nist.gov). The capability exists both for organizations to manually submit statements and for organizations to log into NVD to issue and modify statements themselves. We recommend the log in capability for organizations that are affected by more than a few CVE vulnerabilities.


We would like to thank Red Hat, particular Mark Cox, for coming up with the idea for this service. They recognized that the software industry needed an open forum in which they could comment on the CVE vulnerabilities in their products. They approached NVD with this idea and we started a pilot program in which Red Hat provided over 100 official statements regarding the CVE vulnerabilities. Each of these statements added valuable details that were not always available from third party security advisories.


Organizations can use the service in a variety of ways. For example, they can provide configuration and remediation guidance, clarify vulnerability applicability, provide deeper vulnerability analysis, dispute third party vulnerability information, and explain vulnerability impact.


It is our hope that the software industry will actively participate in this open forum and that the “official vendor statements” will be propagated throughout the 300+ products and services that use the CVE vulnerability naming standard (http://cve.mitre.org).


Peter Mell

National Vulnerability Database Program Manager



Red Hat PR Final.doc

Page Last Updated or Reviewed: May 22, 2007