CVE List▾ CVE List Search Search Tips CVE Request Web Form Web Form Help PGP Key CVE List Documents & Guidance Terms of Use        CNAs▾ CVE Numbering Authorities (CNAs) Participating CNAs CNA Documents, Policies & Guidance CNA Rules, Version 3.0 New CNA Onboarding Slides & Videos How to Become a CNA         WGs▾ CVE Working Groups Automation (AWG) CNA Coordination (CNACWG) Outreach and Communications (OCWG) CVE Quality (QWG) Strategic Planning (SPWG) Tactical (TWG)         Board▾ CVE Board Members Email Archives Meeting Archives Board Charter         About▾ About CVE Professional Code of Conduct CVE & NVD Relationship History Sponsor Documentation & Guidance FAQs Terminology       News & Blog▾ Latest CVE News Blog Podcast Calendar Archive Follow CVE Free CVE Newsletter CVEnew Twitter Feed CVEannounce Twitter Feed CVE on Medium CVE on LinkedIn CVEProject on GitHub CVE on YouTube
Search CVE List         Downloads         Data Feeds         Update a CVE Record         Request CVE IDs
TOTAL CVE Records: 228713 NOTICE: Transition to the all-new CVE website at WWW.CVE.ORG and CVE Record Format JSON are underway. NOTICE: Legacy CVE download formats deprecation is now underway and will end on June 30, 2024. New CVE List download format is available now.



News & Events (Archive)

1 Product from Catbird Network, Inc. Now Registered as Officially "CVE-Compatible"

One information security product from Catbird Networks Inc. has achieved the final stage of MITRE’s formal CVE Compatibility Process and is now officially "CVE-Compatible." The product is now eligible to use the CVE-Compatible Product/Service logo, and a completed and reviewed "CVE Compatibility Requirements Evaluation" questionnaire is posted for the product as part of the organization’s listing on the CVE-Compatible Products and Services page on the CVE Web site. A total of 90 products to-date have been recognized as officially compatible.

The following product is now registered as officially "CVE-Compatible":

Catbird Networks, Inc.

-

Catbird V-Security Service

Use of the official CVE-Compatible logo will allow system administrators and other security professionals to look for the logo when adopting vulnerability management products and services for their enterprises and the compatibility process questionnaire will help end-users compare how different products and services satisfy the CVE compatibility requirements, and therefore which specific implementations are best for their networks and systems.

For additional information about CVE compatibility and to review all products and services listed, visit the CVE Compatibility Process and CVE-Compatible Products and Services.

Six Products and Services from Three Organizations Now Registered as Officially "CVE-Compatible"

Six additional information security products and services have achieved the final stage of MITRE’s formal CVE Compatibility Process and are now officially "CVE-Compatible." The products and services are now eligible to use the CVE-Compatible Product/Service logo, and a completed and reviewed "CVE Compatibility Requirements Evaluation" questionnaire is posted for each product as part of the organization’s listing on the CVE-Compatible Products and Services page on the CVE Web site. A total of 89 products to-date have been recognized as officially compatible.

The following products are now registered as officially "CVE-Compatible":

Tenable Network Security Inc.	-	Passive Vulnerability Scanner Security Center Nessus Security Scanner
TippingPoint Technologies, Inc.	-	TippingPoint Intrusion Prevention System
Easy Solutions, Inc.	-	Detect Vulnerability Scanning Service - External Detect Vulnerability Scanning Service - External/Internal

Use of the official CVE-Compatible logo will allow system administrators and other security professionals to look for the logo when adopting vulnerability management products and services for their enterprises and the compatibility process questionnaire will help end-users compare how different products and services satisfy the CVE compatibility requirements, and therefore which specific implementations are best for their networks and systems.

For additional information about CVE compatibility and to review all products and services listed, visit the CVE Compatibility Process and CVE-Compatible Products and Services.

Secunia Makes Five Declarations of CVE Compatibility

Secunia declared that its enterprise tool for tracking, mapping, and managing vulnerabilities in corporate networks, Secunia OSI (Online Software Inspector); enterprise tool for tracking, mapping, and managing vulnerabilities in corporate servers, Secunia PSI (Personal Software Inspector); vulnerability intelligence and alerting service, Secunia VIF (Vulnerability Intelligence Feed); automated authenticated vulnerability scanner for networks, Secunia CSI (Corporate Software Inspector); and its vulnerability intelligence, alerting, and management product, Secunia EVM (Enterprise Vulnerability Manager); are CVE-Compatible. For additional information about these and other CVE-compatible products, visit the CVE-Compatible Products and Services section.

Legendsec Technology Co., Ltd. Makes Declaration of CVE Compatibility

Legendsec Technology Co., Ltd. declared that its intrusion detection and management system, Secuward SecIPS 3600 Intrusion Prevention System, is CVE-Compatible. For additional information about this and other CVE-compatible products, visit the CVE-Compatible Products and Services section.

Three Products from Tenable Network Security Now Registered as Officially "CVE-Compatible"

Three information security products from Tenable Network Security have achieved the final stage of MITRE’s formal CVE Compatibility Process and are now officially "CVE-Compatible." The products are now eligible to use the CVE-Compatible Product/Service logo, and a completed and reviewed "CVE Compatibility Requirements Evaluation" questionnaire is posted for each product as part of the organization’s listing on the CVE-Compatible Products and Services page on the CVE Web site. A total of 86 products to-date have been recognized as officially compatible.

The following products are now registered as officially "CVE-Compatible":

Tenable Network Security

-

Passive Vulnerability Scanner Security Center Nessus Security Scanner

Use of the official CVE-Compatible logo will allow system administrators and other security professionals to look for the logo when adopting vulnerability management products and services for their enterprises and the compatibility process questionnaire will help end-users compare how different products and services satisfy the CVE compatibility requirements, and therefore which specific implementations are best for their networks and systems.

For additional information about CVE compatibility and to review all products and services listed, visit the CVE Compatibility Process and CVE-Compatible Products and Services.

CVEs Included in the SANS Top Cyber Security Risks 2009

The September 2009 SANS Top Cyber Security Risks, which documents "existing and emerging threats that pose significant risk to networks and the critical information that is generated, processed, transmitted, and stored on those networks", uses CVE Identifiers to uniquely identify the vulnerabilities it describes. This will help system administrators use CVE-Compatible Products and Services to help make their networks more secure.

SANS is a member of the CVE Editorial Board and its education and training materials are listed in the CVE-Compatible Products and Services section.

Making Security Measurable Briefing at DHS/DoD/NIST SwA Forum

CVE Compatibility Lead and CWE Program Manager Robert A. Martin presented a briefing about Making Security Measurable to the DHS/DoD/NIST SwA Forum on November 2, 2009 at MITRE Corporation in McLean, Virginia, USA.

Visit the CVE Calendar for information on this and other events.

Making Security Measurable Briefing and Booth at IT Security Automation Conference 2009

MITRE presented a briefing about Making Security Measurable and hosted a Making Security Measurable booth at the U.S. National Institute of Standards and Technology’s (NIST) 5th Annual IT Security Automation Conference on October 26-29, 2009 in Baltimore, Maryland, USA. The CVE Team also contributed to the CVE-related workshops.

Visit the CVE Calendar for information on this and other events.

Eight Products and Services from Six Organizations Now Registered as Officially "CVE-Compatible"

Eight additional information security products and services have achieved the final stage of MITRE’s formal CVE Compatibility Process and are now officially "CVE-Compatible." The products and services are now eligible to use the CVE-Compatible Product/Service logo, and a completed and reviewed "CVE Compatibility Requirements Evaluation" questionnaire is posted for each product as part of the organization’s listing on the CVE-Compatible Products and Services page on the CVE Web site. A total of 83 products to-date have been recognized as officially compatible.

The following products are now registered as officially "CVE-Compatible":

Beijing Topsec Co., Ltd.	-	Topsec Intrusion Protection System (TopIDP)
H3C	-	SecPath T Series IPS SecBlade IPS
Lenovo Security Inc.	-	Leadsec Intrusion Prevention System Lenovo Security Intrusion Detection System
Netcraft Ltd.	-	Audited by Netcraft Service
TMC y Cia	-	Falcon Vulnerabilities Analysis (FAV)
Trustwave	-	TrustKeeper Service

Use of the official CVE-Compatible logo will allow system administrators and other security professionals to look for the logo when adopting vulnerability management products and services for their enterprises and the compatibility process questionnaire will help end-users compare how different products and services satisfy the CVE compatibility requirements, and therefore which specific implementations are best for their networks and systems.

For additional information about CVE compatibility and to review all products and services listed, visit the CVE Compatibility Process and CVE-Compatible Products and Services.

CVE Celebrates 10 Years!

CVE began 10 years ago this month with 321 entries on the CVE List. Since then, CVE has truly become the international standard for public software vulnerability identifiers with more than 38,000+ unique information security issues with publicly known names available on the CVE Web site. Information security professionals and product vendors from around the world use CVE Identifiers (CVE-IDs) as a standard method for identifying vulnerabilities; facilitating their work processes; and cross-linking among products, services, and other repositories that use the identifiers.

Initially intended as a source of mature information, the immediate success of CVEs in the community required that the initiative quickly expand to address new security issues that were appearing almost daily. As a result, the CVE List grew quickly to 7,191 CVE-IDs after five years, and at 10 years now includes 38,727 CVE-IDs. CVEs are now assigned not only by MITRE, but also by major OS vendors, security researchers, and research organizations that assign CVEs to newly discovered issues and include the CVE-IDs in the first public disclosure of the vulnerabilities.

Impact of CVE on the Information Security Landscape

The widespread impact of CVE in enterprise security is illustrated by the numerous CVE-Compatible Products and Services in use throughout industry, government, and academia for vulnerability management, vulnerability alerting, intrusion detection, and patch management. The information security community endorsed the importance of "CVE-Compatible" products from the moment CVE was launched in 1999. As quickly as December 2000 there were 29 organizations participating with declarations of compatibility for 43 products. Today, there are 142 organizations and 252 products and services listed on the CVE site. Of these, 75 products and services from 40 organizations have completed the formal CVE Compatibility Process and are considered as "Officially CVE-Compatible."

CVE-IDs have been included in security advisories from 73 organizations including major OS vendors and others, ensuring the community benefits by having identifiers as soon as a software issue is announced. CVE-IDs are also used to uniquely identify vulnerabilities in public watch lists such as the SANS Top 20 Most Critical Internet Security Vulnerabilities and OWASP Top 10 Web Application Security Issues, and are rated by severity in the Common Vulnerability Scoring System (CVSS).

CVE has also inspired entirely new efforts. The U.S. National Vulnerability Database (NVD) of CVE fix information operated by the National Institute of Standards and Technology (NIST) is based upon, and synchronized with, the CVE List. In addition, the Open Vulnerability and Assessment Language (OVAL®) effort uses CVE-IDs for its standardized OVAL Vulnerability Definitions that test systems for the presence of CVEs, and the Common Weakness Enumeration (CWE™) dictionary of software weakness types is based in part on the CVE List. Other efforts inspired by the success of CVE include CVSS, Common Configuration Enumeration (CCE™), Common Platform Enumeration (CPE™), Common Attack Pattern Enumeration and Classification (CAPEC™), Common Event Expression (CEE™), Common Result Format (CRF™), Open Checklist Reporting Language (OCRL™), Open Checklist Interactive Language (OCIL), Benchmark Development, National Checklist Program Repository, Common Announcement Interchange Format (CAIF), Extensible Configuration Checklist Description Format (XCCDF), and Making Security Measurable.

The success of CVE and the other standards it inspired also eventually enabled the creation of NIST’s Security Content Automation Protocol (SCAP). SCAP employs existing community standards to enable "automated vulnerability management, measurement, and policy compliance evaluation (e.g., FISMA compliance)," and CVE is one of the six existing open standards SCAP uses for enumerating, evaluating, and measuring the impact of software problems and reporting results. The other five standards are OVAL, CCE, CPE, XCCDF, and CVSS. In addition, the U.S. Federal Desktop Core Configuration (FDCC) requires verification of compliance with FDCC requirements using SCAP-validated scanning tools. CVE has also been a requirement in U.S. Department of Defense contracts.

And the adoption of CVE continues. This autumn the International Telecommunication Union’s (ITU-T) Cybersecurity Rapporteur Group, which is the telecom/information system standards body within the treaty-based 150-year-old intergovernmental organization, is adopting CVE as a part of its new "Global Cybersecurity Information Exchange Framework (X.CYBIEF)." ITU-T will be creating an "X.CVE standard" that is based on the current CVE Compatibility Requirements, and any future changes to the document will be reflected in subsequent updates to X.CVE.

Community Participation

CVE is an international information security community effort. It is your past and ongoing participation, endorsement, and support that have made CVE the community standard for vulnerability identifiers. We thank all you who have in any way used CVE-IDs in your products or research, promoted the use of CVE, and/or adopted CVE-compatible products or services for your enterprise.

We also thank past and present members of the CVE Editorial Board for the contributions, and we especially thank our sponsors throughout these nine years, particularly our current sponsor National Cyber Security Division at the U.S. Department of Homeland Security, for their past and current funding and support.

Our Anniversary Celebration

Please join us as our 10-year anniversary celebration continues throughout the coming year on the CVE Web site and in our Making Security Measurable booth at events throughout the remainder of 2009, at IT Security Automation Conference 2009, and then throughout 2010 including InfoSec World 2010, DoD Information Assurance Symposium 2010, RSA 2010, and Black Hat Briefings 2010.

As always, we welcome any comments or feedback about CVE at cve@mitre.org.

CVE 10-Year Anniversary Main Topic of Article on Government Computer News

An article about CVE’s 10-year anniversary entitled "CVE: Ten years and more than 38,000 vulnerabilities catalogued" was published in Government Computer News on September 23, 2009. The article talks about the origins of CVE, how it has grown over since it launched on September 29, 1999, and how it has inspired new efforts such as CWE and its Top 25 list. The article also includes quotes from CVE Co-Creator and Technical Lead Steve Christey and CVE Compatibility Lead Robert A. Martin.

CVE Compatibility Requirements Document Updated

The "Requirements and Recommendations for CVE Compatibility" document in the CVE-Compatible Products section has been updated to Version 1.2. The main changes included removing the emphasis on candidates and entries to reflect how people really use CVEs in the community, and to remove the mapping accuracy assessment from the compatibility process while retaining the mapping accuracy requirements so that MITRE can process compatibility declarations more quickly. With the requirements for mapping accuracy still in force but no longer verified by MITRE during the initial compatibility process, a few requirements were added to provide greater insight into how that mapping is done and maintained. MITRE retains the right to do a mapping accuracy assessment if the mapping accuracy becomes a disputed issue, up to and including revocation of compatibility. The CVE Compatibility and Adoption Process page has also been updated to reflect these changes.

Please send any comments or concerns to cve@mitre.org.

Making Security Measurable Briefing and Booth at IT Security Automation Conference 2009, October 26-29

MITRE is scheduled to present a briefing about Making Security Measurable and host a Making Security Measurable booth at the U.S. National Institute of Standards and Technology’s (NIST) 5th Annual IT Security Automation Conference on October 26-29, 2009 in Baltimore, Maryland, USA. The CVE Team is also scheduled to contribute to the CVE-related workshops.

Visit the CVE Calendar for information on this and other events.

CVE Editorial Board Updates

The following new members have been added to the CVE Editorial Board:

• Art Manion, CERT/CC (Software Engineering Institute, Carnegie Mellon University)
• Brian Martin, Open Source Vulnerability Database (OSVDB)
• Tim Keanini, nCircle Network Security, Inc.
• Carsten Eiram, Secunia

Information-technology Promotion Agency, Japan (IPA) Post Two CVE Compatibility Questionnaires

Information-technology Promotion Agency, Japan (IPA) has achieved the second phase of the CVE Compatibility Process for three products by submitting a CVE Compatibility Questionnaire for JVN Vulnerability Countermeasure Information Database (JVN iPedia), and a CVE Compatibility Questionnaire for Filtered Vulnerability Countermeasure Information Tool (MyJVN). In Phase 2 of the compatibility process the organization’s completed compatibility requirements evaluation questionnaire is posted on the CVE Web site while it is evaluated by MITRE as the final step towards the product or service being registered as "Officially CVE-Compatible."

For additional information and to review the complete list of all products and services participating in the compatibility program, visit the CVE-Compatible Products and Services section.

JPCERT/CC Post Compatibility Questionnaire

Japan Computer Emergency Response Team Coordination Center (JPCERT/CC) has achieved the second phase of the CVE Compatibility Process by submitting a CVE Compatibility Questionnaire for Japan Vulnerability Notes (JVN). In Phase 2 of the compatibility process the organization’s completed compatibility requirements evaluation questionnaire is posted on the CVE Web site while it is evaluated by MITRE as the final step towards the product or service being registered as "Officially CVE-Compatible."

For additional information and to review the complete list of all products and services participating in the compatibility program, visit the CVE-Compatible Products and Services section.

Making Security Measurable Main Topic of Article in CrossTalk, The Journal of Defense Engineering

An article entitled "Making Security Measurable and Manageable" by CVE Compatibility Lead and CWE/CAPEC Program Manager Robert A. Martin was published in the September/October 2009 issue of CrossTalk, The Journal of Defense Engineering.

The article explains how measurable security and automation can be achieved by having government and public efforts address the creation, adoption, operation, and sustainment of their information security infrastructures in a holistic manner and by using common, standardized concepts to define the data (CVE, CCE, CPE, CAPEC, CWE, etc.), communicating this information through standardized languages (OVAL, XCCDF, CEE, etc.), sharing the information in standardized ways (OVAL Repository, NVD, etc.), and adopting tools and services that adhere to these standards.

CVE Included as Topic at IT Security Automation Conference 2009, October 26-29

CVE will be included as a topic at the U.S. National Institute of Standards and Technology’s (NIST) 5th Annual IT Security Automation Conference on October 26-29, 2008 in Baltimore, Maryland, USA. The CVE Team is also scheduled to contribute to the CVE-related workshops.

NIST’s Security Content Automation Protocol (SCAP) employs existing community standards to enable "automated vulnerability management, measurement, and policy compliance evaluation (e.g., FISMA compliance)," and CVE is one of the six open standards SCAP uses for enumerating, evaluating, and measuring the impact of software problems and reporting results. The other five standards The other five standards are Open Vulnerability and Assessment Language (OVAL), a standard XML for security testing procedures and reporting; Common Configuration Enumeration (CCE), standard identifiers and a dictionary for system security configuration issues; Common Platform Enumeration (CPE), standard identifiers and a dictionary for platform and product naming; Extensible Configuration Checklist Description Format (XCCDF), a standard for specifying checklists and reporting results; and Common Vulnerability Scoring System (CVSS), a standard for conveying and scoring the impact of vulnerabilities.

Visit the CVE Calendar for information on this and other events.

Making Security Measurable Briefing at GFIRST5: The 5 Pillars of Cyber Security, August 24-28

CVE Compatibility Lead and CWE/CAPEC Program Manager Robert A. Martin presented a briefing about Making Security Measurable at GFIRST5: The 5 Pillars of Cyber Security on August 24-28, 2009 at Atlanta, Georgia, USA.

Visit the CVE Calendar for information on this and other events.

IMPORTANT: CVE Web Site Outage from 8pm on August 21 until 11pm on August 22

Due to electrical system upgrades the CVE Web site will be temporarily unavailable from 8:00pm eastern time on Friday, August 21, 2009 through 11:00pm on Saturday, August 22, 2009.

We apologize for any inconvenience. Please contact cve@mitre.org with any comments or concerns.

The U.S. National Vulnerability Database, which provides enhanced information about CVE identifiers, will not be affected.

Lenovo Security Inc. Posts CVE Compatibility Questionnaire

Lenovo Security Inc. has achieved the second phase of the CVE Compatibility Process by submitting a CVE Compatibility Questionnaire for Leadsec Intrusion Prevention System. In Phase 2 of the compatibility process the organization’s completed compatibility requirements evaluation questionnaire is posted on the CVE Web site while it is evaluated by MITRE as the final step towards the product or service being registered as "Officially CVE-Compatible."

For additional information and to review the complete list of all products and services participating in the compatibility program, visit the CVE-Compatible Products and Services section.

Outpost24 Makes Two Declarations of CVE Compatibility

Outpost24 declared that its on-demand service for perimeter vulnerability assessment, OUTSCAN, and its plug-and-play appliance for internal vulnerability assessment, HIAB, are CVE-Compatible. For additional information about these and other CVE-compatible products, visit the CVE-Compatible Products and Services section.

MITRE Hosts ‘Making Security Measurable’ Booth at Black Hat Briefings 2009

CVE participated in a Making Security Measurable booth at Black Hat Briefings 2009 on July 29-30, 2009 at Caesars Palace Las Vegas in Las Vegas, Nevada, USA.

Attendees learned how information security data standards facilitate both effective security process coordination and the use of automation to assess, manage, and improve the security posture of enterprise security information infrastructures. See photos below:

Visit the CVE Calendar for information on this and other events.

Photos from MITRE’s Security Automation Developer Days 2009

MITRE hosted the first-ever Security Content Developer Days 2009 on June 8-12, 2009, at MITRE in Bedford, Massachusetts, USA. This free five-day conference was technical in nature and focus on the U.S. National Institute of Standards and Technology’s (NIST) Security Content Automation Protocol (SCAP).

See event photos:

For additional information visit the Developer Days page on the Making Security Measurable Web site.

CounterSnipe Makes Declaration of CVE Compatibility

CounterSnipe LLC declared that its network knowledge-based intrusion prevention system, CounterSnipe, is CVE-Compatible. For additional information about this and other CVE-compatible products, visit the CVE-Compatible Products and Services section.

CVE Scheduled to Participate in ‘Making Security Measurable’ Booth at Black Hat Briefings 2009 on July 29-30

CVE is scheduled to participate in a Making Security Measurable booth at Black Hat Briefings 2009 on July 29-30, 2009 at Caesars Palace Las Vegas in Las Vegas, Nevada, USA.

Stop by Booth 70 and learn how information security data standards facilitate both effective security process coordination and the use of automation to assess, manage, and improve the security posture of enterprise security information infrastructures.

Visit the CVE Calendar for information on this and other events.

MITRE Hosts Security Automation Developer Days 2009

MITRE hosted the first-ever Security Content Developer Days 2009 on June 8-12, 2009, at MITRE in Bedford, Massachusetts, USA. This free five-day conference was technical in nature and focused on the U.S. National Institute of Standards and Technology’s (NIST) Security Content Automation Protocol (SCAP).

The purpose of the event was for the community to discuss SCAP in technical detail and to derive solutions that benefit all concerned parties. Discussion topics include NIST SP 800-126, SCAP content management, lifecycle, validation, and remediation; OVAL®, XCCDF, emerging specifications, and perceived gaps in standards coverage; ontology; and use cases. CCE was also mentioned.

For additional information visit the Developer Days page on the Making Security Measurable Web site.

CVE Mentioned in Article about SCAP in Computerworld

CVE was mentioned in an article entitled "How SCAP Brought Sanity to Vulnerability Management" in Computerworld on May 11, 2009. The main topic of the article is the U.S. National Institute of Standards and Technology’s (NIST) Security Content Automation Protocol (SCAP).

CVE is mentioned when the author explains that "SCAP is part of the Information Security Automation Program and is made up of a collection of existing standards. These standards include some that many of us are already familiar with, such as the Common Vulnerabilities and Exposures (CVE) and the Common Vulnerability Scoring System (CVSS). Additionally, it includes the Common Platform Enumeration (CPE), a standard to describe a specific hardware, OS and software configuration. This is helpful for enumerating assets, giving you your baseline information to apply all of this data; the Common Configuration Enumeration (CCE), very similar to CVE but dealing with misconfiguration issues; the Open Vulnerability and Assessment Language (OVAL) to provide schemas that describe the inventory of a computer, the configuration on that computer and a report of what vulnerabilities were found on that computer; and Extensible Configuration Checklist Description Format (XCCDF), a description language to help you apply your technical policies and standards to your scanning tools."

The author also provides an example of SCAP in action: "Let’s see how this helps me in building a real solution. As a head of a vulnerability management program as discussed earlier, I am sitting on data from application security assessment tools, host and network scanners, and database vulnerability and configuration scanners. In reality, this includes multiple products and services for application security, as well as multiple tools for host and network assessments. I set out by taking advantage of APIs when available from the assessment tool providers as well as XML data feeds. Utilizing the code I’ve just written to automate the movement of the data, I now need to map this information to a normalized schema, taking advantage of the SCAP standards. This is a big deal! I now have a common way to describe the vulnerabilities. I can eliminate duplicates that reference the same CVE on the same platforms."

CVE Mentioned in Article about SCAP in Government Computer News

CVE was mentioned in an article entitled "Draft guidelines issued for using SCAP to automate security validation" in Government Computer News on May 7, 2009. The main topic of the article is the U.S. National Institute of Standards and Technology’s (NIST) Special Publication 800-117: Guide to Adopting and Using the Security Content Automation Protocol that specifies how enterprises can use its Security Content Automation Protocol (SCAP), and a revised version of its testing requirements that security products using SCAP must meet to achieve SCAP validation entitled Draft NIST Interagency Report 7511: Security Content Automation Protocol Validation Program Test Requirements, Revision 1.

CVE is mentioned in the article as one of the six open standards SCAP uses for enumerating, evaluating, and measuring the impact of software problems and reporting results: "Common Vulnerabilities and Exposures, a dictionary of names for publicly known security-related software flaws." The other five standards are Open Vulnerability and Assessment Language (OVAL), Common Configuration Enumeration (CCE), Common Platform Enumeration (CPE), Extensible Configuration Checklist Description Format (XCCDF), and Common Vulnerability Scoring System (CVSS). CVE is mentioned a second time when discussing NIST’s recommended guidelines for using SCAP: "Organizations should use SCAP for vulnerability measurement and scoring. SCAP enables quantitative and repeatable measurement and scoring of software flaw vulnerabilities across systems through the combination of the Common Vulnerability Scoring System (CVSS), CVE, and CPE."

Comments on draft guidelines 800-117 are due to NIST by June 12, 2009 and should sent to 800-117comments@nist.gov and include "Comments SP 800-117" in the subject line.

MITRE to Host Security Automation Developer Days, June 8-12

MITRE is scheduled to host the first-ever Security Automation Developer Days 2009 on June 8-12, 2009, at MITRE in Bedford, Massachusetts, USA. This free five-day conference will be technical in nature and focus on the U.S. National Institute of Standards and Technology’s (NIST) Security Content Automation Protocol (SCAP).

The purpose of the event is for the community to discuss SCAP in technical detail and to derive solutions that benefit all concerned parties. Currently scheduled discussion topics include NIST SP 800-126, SCAP content management, lifecycle, validation, and remediation; OVAL®, XCCDF, emerging specifications, and perceived gaps in standards coverage; ontology; and use cases. CVE will also be mentioned. Review the conference agenda.

For additional information or to register visit http://www.mitre.org/register/scap/.

Beijing Topsec Co., Ltd. Posts CVE Compatibility Questionnaire

Beijing Topsec Co., Ltd. achieved the second phase of the CVE Compatibility Process by submitting a CVE Compatibility Questionnaire for Topsec Intrusion Protection System (TopIDP). In Phase 2 of the compatibility process the organization’s completed compatibility requirements evaluation questionnaire is posted on the CVE Web site while it is evaluated by MITRE as the final step towards the product or service being registered as "Officially CVE-Compatible."

For additional information and to review the complete list of all products and services participating in the compatibility program, visit the CVE-Compatible Products and Services section.

SoftRun, Inc. Posts CVE Compatibility Questionnaire

SoftRun, Inc. achieved the second phase of the CVE Compatibility Process by submitting a CVE Compatibility Questionnaire for Inciter Vulnerability Manager. In Phase 2 of the compatibility process the organization’s completed compatibility requirements evaluation questionnaire is posted on the CVE Web site while it is evaluated by MITRE as the final step towards the product or service being registered as "Officially CVE-Compatible."

For additional information and to review the complete list of all products and services participating in the compatibility program, visit the CVE-Compatible Products and Services section.

iPolicy Networks Makes Two Declarations of CVE Compatibility

iPolicy Networks (Security Product Division of Tech Mahindra Ltd.) has declared that its iPolicy Security Manager and its iPolicy Intrusion Prevention Firewall are CVE-Compatible. For additional information about these and other CVE-compatible products, visit the CVE-Compatible Products and Services section.

H3C Technologies Co., Ltd. Makes Two Declarations of CVE Compatibility

H3C Technologies Co., Ltd. has declared that its SecPath T Series IPS and its SecBlade IPS will be CVE-Compatible. For additional information about these and other CVE-compatible products, visit the CVE-Compatible Products and Services section.

MITRE Hosts "Making Security Measurable" Booth at RSA 2009

MITRE hosted a Making Security Measurable booth at RSA 2009 at the Moscone Center in San Francisco, California, USA, on April 20-24, 2009. Booth photos:

Visit the CVE Calendarfor information on this and other events.

Information Systems Security Association (ISSA) Awards MITRE as "Outstanding Organization of the Year 2008"

MITRE Corporation was recognized as "Outstanding Organization of the Year" for 2008 by the Information Systems Security Association (ISSA). The award was presented at RSA 2009 at the Moscone Center in San Francisco, California, USA, on April 22, 2009, and was accepted on behalf of MITRE by Senior Vice President and General Manager of the Center for Integrated Intelligence Systems Robert Nesbit, Information Security Executive Director Marion Michaud, and Principal Information Systems Engineer Marc Noble.

MITRE was nominated for the award by the ISSA Northern Virginia Chapter for its role as a long-time supporter of the association and the information security profession, and for the development of publicly available solutions to thwart cybercrime, such as its "honeyclient" open-source package that proactively monitors Internet servers for fast-running, malicious programs designed to infect user systems.

"We see it as part of our public service mission to support the information security profession, including sharing knowledge we’ve developed to safeguard data and protect it from misuse," said Al Grasso, MITRE president and chief executive. "Recognition by ISSA tells us we’re meeting this critical responsibility."

In the past decade, MITRE has developed four of the six security standards that comprise the National Institute of Standards and Technology’s Security Content Automation Protocol, or SCAP. The four standards — Common Vulnerabilities and Exposures (CVE®); Open Vulnerability and Assessment Language (OVAL®); Common Platform Enumeration (CPE™); and Common Configuration Enumeration (CCE™) — are also part of MITRE’s "Making Security Measurable" effort.

MITRE to Host "Making Security Measurable" Booth at RSA 2009

MITRE is scheduled to host a Making Security Measurable booth at RSA 2009 at the Moscone Center in San Francisco, California, USA, on April 20-24, 2009. Please stop by Booth 2411 and say hello!

CVE/Making Security Measurable Briefing Presented at DHS/DoD/NIST SwA Forum

CVE Compatibility Lead and CWE Program Manager Robert A. Martin presented a briefing about CVE/Making Security Measurable to the DHS/DoD/NIST SwA Forum on March 10-12, 2009 at MITRE Corporation in McLean, Virginia, USA.

Visit the CVE Calendar for information on this and other events.

Beijing Topsec Co., Ltd. Makes Declaration of CVE Compatibility

Beijing Topsec Co., Ltd. has declared that its Topsec Intrusion Protection System (TopIDP) is CVE-Compatible. For additional information about this and other CVE-compatible products, visit the CVE-Compatible Products and Services section.

MITRE Hosts "Making Security Measurable" Booth at InfoSec World 2009

MITRE hosted a Making Security Measurable booth at MIS Training Institute’s (MISTI) InfoSec World Conference & Expo 2009 at the Disney Coronado Springs Resort, in Orlando, Florida, USA, on March 9-10, 2009.

Visit the CVE Calendar for information on this and other events.

CVE List Surpasses 35,000 CVE Identifiers

The CVE Web site now contains 35,160 unique information security issues with publicly known names. CVE, which began in 1999 with just 321 common names on the CVE List, is considered the international standard for public software vulnerability names. Information security professionals and product vendors from around the world use CVE Identifiers (CVE-IDs) as a standard method for identifying vulnerabilities, and for cross-linking among products, services, and other repositories that use the identifiers.

The widespread adoption of CVE in enterprise security is illustrated by the numerous CVE-Compatible Products and Services in use throughout industry, government, and academia for vulnerability management, vulnerability alerting, intrusion detection, and patch management. Major OS vendors and other organizations from around the world also include CVE-IDs in their security alerts to ensure that the international community benefits by having the identifiers as soon as a problem is announced. CVE-IDs are also used to uniquely identify vulnerabilities in public watch lists such as the SANS Top 20 Most Critical Internet Security Vulnerabilities and OWASP Top 10 Web Application Security Issues.

CVE has also inspired new efforts. MITRE’s Common Weakness Enumeration (CWE) dictionary of software weakness types is based in part on the CVE List, and its Open Vulnerability and Assessment Language (OVAL) effort uses CVE-IDs for its standardized OVAL Vulnerability Definitions that test systems for the presence of CVEs. In addition, the U.S. National Vulnerability Database (NVD) of CVE fix information that is synchronized with and based on the CVE List also includes Security Content Automation Protocol (SCAP) content. SCAP employs community standards to enable "automated vulnerability management, measurement, and policy compliance evaluation (e.g., FISMA compliance)," and CVE is one of the six existing open standards SCAP uses for enumerating, evaluating, and measuring the impact of software problems and reporting results.

Each of the 35,000+ identifiers on the CVE List includes the following: CVE Identifier number (i.e., "CVE-1999-0067"); indication of "entry" or "candidate" status; brief description of the security vulnerability; and pertinent references such as vulnerability reports and advisories or OVAL-ID. Visit the CVE List page to download the complete list in various formats or to look-up an individual identifier. Fix information and enhanced searching of CVE is available from NVD.

CVE Mentioned in Top Twenty Most Critical Security Controls Document

CVE was mentioned in Draft 1.0 of the "Twenty Most Important Controls and Metrics for Effective Cyber Defense and Continuous FISMA Compliance" consensus list released by a consortium of federal agencies and private organizations on February 23, 2009. The document, which uses "knowledge of actual attacks and defines controls that would have stopped those attacks from being successful," includes 15 critical controls that are subject to automated measurement and validation and an additional 5 critical controls that are not.

CVE is mentioned as follows in a section about why the list is so important for chief information security officers (CISOs), chief information officers (CIOs), federal inspectors general, and auditors: "This effort also takes advantage of the success and insights from the development and usage of standardized concepts for identifying, communicating, and documenting security-relevant characteristics/data. These standards include the following: common identification of vulnerabilities (Common Vulnerabilities and Exposures-CVE), definition of secure configurations (Common Configuration Enumeration-CCE), inventory of systems and platforms (Common Platform Enumeration-CPE), vulnerability severity (Common Vulnerability Scoring System-CVSS) and identification of application weaknesses (Common Weaknesses Enumeration-CWE). These standards have emerged over the last decade through collaborative research and deliberation between government, academia and industry. While still evolving, several of these efforts in standardization have made their way into commercial solutions and government, industry, and academic usage. Perhaps most visible of these has been the Federal Desktop Core Configuration (FDCC) which leveraged the Security Content Automation Program (SCAP)."

The draft is available for public review and comment at www.sans.org/cag, www.csis.org, and www.gilligangroupinc.com until March 23, 2009.

SoftRun, Inc. Makes Declaration of CVE Compatibility

SoftRun, Inc. has declared that its vulnerability assessment and remediation tool, Inciter Vulnerability Manager, is CVE-Compatible. For additional information about this and other CVE-compatible products, visit the CVE-Compatible Products and Services section.

MITRE to Host "Making Security Measurable" Booth at InfoSec World 2009, March 9-10

MITRE is scheduled to host a Making Security Measurable booth at MIS Training Institute’s (MISTI) InfoSec World Conference & Expo 2009 at the Disney Coronado Springs Resort, in Orlando, Florida, USA, on March 9-10, 2009. Please stop by booth 531 and say hello.

Visit the CVE Calendar for information on this and other events.

MITRE Hosts "Making Security Measurable" Booth at 2009 Information Assurance Symposium

MITRE hosted a Making Security Measurable booth at the 2009 Information Assurance Symposium at the Sheraton Dallas International Conference and Exposition Center, in Dallas, Texas, USA, on February 3-6, 2009. The symposium is designed to bring together industry, government, and military information assurance professionals with "the latest Information Assurance (IA) products and solutions available to secure voice and data networks."

Visit the CVE Calendar for information on this and other events.

MITRE to Host "Making Security Measurable" Booth at 2009 Information Assurance Symposium, February 3-6

MITRE is scheduled to host a Making Security Measurable booth at the 2009 Information Assurance Symposium at the Sheraton Dallas International Conference and Exposition Center, in Dallas, Texas, USA, on February 3-6, 2009. The symposium is designed to bring together industry, government, and military information assurance professionals with "the latest Information Assurance (IA) products and solutions available to secure voice and data networks." Please stop by booth 301 and say hello.

Visit the CVE Calendar for information on this and other events.

MITRE Announces Initial "Making Security Measurable" Calendar of Events for 2009

MITRE has announced its initial Making Security Measurable calendar of events for 2009. Details regarding MITRE’s scheduled participation at these events are noted on the CVE Calendar page. Each listing includes the event name with URL, date of the event, location, and a description of our activity at the event.

• 2009 Information Assurance Symposium, February 3-6, 2009
• InfoSec World Conference & Expo 2009, March 9-10, 2009
• RSA 2009, April 20-24, 2009
• Black Hat Briefings 2009, July 29-30, 2009

Other events may be added throughout the year. Visit the CVE Calendar for information or contact cve@mitre.org to have MITRE present a briefing or participate in a panel discussion about CVE, CCE, CPE, CAPEC, CWE, CEE, CRF, OVAL, and/or Making Security Measurable at your event.

Information-technology Promotion Agency, Japan (IPA) Makes Two Declarations of CVE Compatibility

Information-technology Promotion Agency, Japan (IPA) has declared that its online Vulnerability Countermeasure Information Database (JVN iPedia), and its Filtered Vulnerability Countermeasure Information Tool (MyJVN) notification service, are CVE-Compatible. For additional information about this and other CVE-compatible products, visit the CVE-Compatible Products and Services section.