|
CVE-Compatible Products and Services
The products and services listed below have achieved the final stage of MITRE's formal CVE
Compatibility Process and are now "Officially CVE-Compatible." Each organization's product is now eligible to use the CVE-Compatible Product/Service logo, and their completed and reviewed "CVE
Compatibility Requirements Evaluation" questionnaires are posted here and on the Organizations
Participating page as part of their product listings.
Products that have completed the compatibility process and are awaiting review by MITRE are posted below in the Compatible
- Under Review section.
Organizations are listed alphabetically:
A |
B |
C |
D |
E |
F |
G |
H |
I |
J |
K |
L |
M |
N |
O |
P |
Q |
R |
S |
T |
U |
V |
W |
X |
Y |
Z
AdventNet, Inc.Quote/Declaration: "AdventNet is pleased to support CVE names in the vulnerability database of the SecureCentral product line, as part of our commitment to embracing industry standards." | Last Updated: February 19, 2008 |
|
Archer TechnologiesQuote/Declaration: "Archer Technologies Enterprise Security Management is a knowledge management system for the collection, management and distribution of critical security content such as vulnerabilities, technical baselines, control standards and information security policies as they relate to specific risk that IT assets face within the enterprise. The Archer Technologies product suite strongly supports the CVE standard, which greatly assists in our integration with other security products and vendors. The CVE mapping enables our clients to intelligently analyze, cross reference and search vulnerabilities that affect their organization."
— Jon Darbyshire, CEO, Archer Technologies LLC | Last Updated: March 12, 2008 |
|
ArcSight, Inc.Quote/Declaration: "As a pioneer and leading provider of security management solutions for the enterprise ArcSight actively promotes and supports open systems standards such as CVE. ArcSight uses cross-device correlation to detect sophisticated multi-source, multi-target attacks while keying into the correct policies and procedures for response via the CVE names. It enables security experts and IT managers to cross-correlate information and references about different threats reported by disparate security products and solutions — a necessity to understand the real impact of vulnerabilities and attacks." | Last Updated: April 5, 2005 |
|
Assuria LimitedQuote/Declaration: "Assuria Auditor (Formerly ISS System Scanner) was previously certified as ISS System Scanner. Assuria have enhanced and added functionality and features around CVE reporting in the product." | Last Updated: February 19, 2008 |
|
Beijing Topsec Co., Ltd.| Last Updated: April 30, 2007 |
|
Beijing Venus Information Security Technology, Inc.Quote/Declaration: "Venus Information Technology, Inc. aims to provide users a series of network security products along with our own independent intellectual property and complied with international standard, CVE. Beyond product, we can deliver customers life-cycle services including consulting, design, implementation, maintenance and training."
— Helen Wang | Last Updated: March 18, 2008 |
|
Beyond Security Ltd.Quote/Declaration: "Beyond Security Ltd.'s Automated Scanning provides users with a complete picture of the security of their organization by leveraging the huge SecuriTeam.com knowledgebase. As such, we see high importance for the CVE naming scheme, which provides a global independent reference for known security vulnerabilities." | Last Updated: April 5, 2005 |
|
CAQuote/Declaration: "As a respected member of the MITRE CVE Editorial Board and a global leader in security, Computer Associates International, Inc (CA) is fully committed to supporting the MITRE CVE Initiative. With the increasing number of vulnerabilities, CA recognizes the need and the importance for a common vulnerability naming and enumerating standard. CA Threat Research Team leverages the CVE List by correlating our vulnerability database with the MITRE CVE List. By providing this information to our customers through our Threat Management products — eTrust Vulnerability Manager, and eTrust Policy Compliance, users can quickly and accurately identify a common vulnerability name and number, and in addition cross-reference this information with other sources and products that are CVE-compatible." | Last Updated: February 14, 2006 |
|
Critical WatchQuote/Declaration: "Critical Watch supports MITRE's CVE program for standardizing a naming scheme for vulnerabilities. Incorporating CVE names into our enterprise vulnerability management solution enables our customers to act swiftly and confidently to collapse windows of exposure."
— Nelson Bunker Chief Security Officer | Last Updated: April 14, 2008 |
|
DragonSoft Security Associates, Inc.Quote/Declaration: "DragonSoft Security Associates, Inc. believes that CVE provides the correct direction to a uniform and consistent representation of vulnerabilities and exposures information. As a company which research and design vulnerabilities and exposures detecting software, we are very desirous to providing CVE compatible product to our customers that researches and designs software for detecting vulnerabilities and exposures, we believe it is important to provide CVE-compatible products to our customers." | Last Updated: April 30, 2007 |
|
eEye Digital SecurityQuote/Declaration: "eEye Digital Security is a leading developer of network security software and an active contributor to network security research and education. eEye protect enterprises throughout the entire vulnerability lifecycle and offers a comprehensive range of award-winning solutions for vulnerability assessment, remediation management, intrusion prevention and network forensics. eEye is pleased to support the CVE Initiative and will continue to promote the standardization of the CVE naming convention and vulnerability identification." | Last Updated: November 8, 2004 |
|
FuJian RongJi Software Company, LtdQuote/Declaration: "FuJian RongJi Software Company, Ltd., in association with the Institute of High Energy Physics, the Chinese Academy of Sciences, has developed the RJ-iTop Network Vulnerability Scanner System, which provides CVE Output and is CVE Searchable. In addition, its database is fully searchable by keyword, CVE name, or candidate number. We have made our product compatible with CVE so that administrators can easily differentiate which is the best product for them among the different security products."
— C. Shanmao Lin, RongJi Enterprise | Last Updated: March 18, 2008 |
|
GFI Software Ltd.Quote/Declaration: "GFI recognizes the importance of standards in a field which is encountering even bigger challenges, variation of attacks and abuses of IT systems. While searching for a standard which will allow us to adhere to as well as encourage our customers to refer to vulnerabilities in a particular format, we found a perfect synergy between our technology and CVE. We believe that such integration will provide a common ground for our customers and security administrators out there to share and unify experiences against these ever increasing threats." | Last Updated: March 12, 2008 |
|
Harris CorporationQuote/Declaration: "Harris Corporation has integrated the CVE standard into its STAT Scanner, which provides the ability to identify, track, compare, and contrast vulnerabilities. STAT Scanner has a fully integrated interface that allows the user to see the specific CVE information, while at the same time providing predefined configuration files that scan specifically for all CVE vulnerabilities."
— Lilo Newberry, STAT Director of Operations, Harris Corporation | Last Updated: April 30, 2007 |
|
IBM Internet Security SystemsQuote/Declaration: "The CVE naming standard developed by MITRE represents a significant leap forward for the information security industry and end user community. As a technology pioneer and leading provider of security management software and services, IBM Internet Security Systems is pleased to be a part of this important initiative as we move toward a standard that is crucial to the effective protection of every organization's critical digital assets."
— Christopher Klaus, Founder and Chief Technology Officer | Last Updated: April 30, 2008 |
|
Information Risk Management PlcQuote/Declaration: "IRM ensures that clients acquire and maintain the core elements of information security by providing product-independent, expert, and impartial consulting services to organisations wishing to examine and improve the security of their information assets. It is essential that open and standardised vulnerability descriptions and metrics integrate into IRM's methodology and output so that clients may be assured of a common reference to findings and recommendations. CVE provides such a mechanism and is vital in providing meaningful security threat results." | Last Updated: April 30, 2007 |
|
Kingnet Security, Inc.Quote/Declaration: "Kingnet Security plays a leading role in network security industry in China. We want our KIDS intrusion detection system to be compatible to the CVE standard so as to bring as much value to our customers as possible." | Last Updated: April 30, 2007 |
|
LANDesk Software Inc.Quote/Declaration: "LANDesk Security and Patch manager supports the CVE naming standard, it's a simple and practical way to ensure that a vulnerability definition means the same thing to different people." | Last Updated: March 29, 2007 |
|
McAfee, Inc.Quote/Declaration: "Because of today's ever changing threats, and vulnerability data a consent must be had to properly identify each. In the malicious code area these naming conventions exist and are very beneficial. The MITRE CVE program provides a naming standard that can be relied on when there is confusion or no standards agreed upon providing a method by which system administrators and other users can search the Internet to get the information on the same vulnerability via various sources."
— Carl Banzhof - Vice President and Chief Technology Evangelist, McAfee | Last Updated: April 30, 2007 |
|
MITRE CorporationQuote/Declaration: "OVAL provides a common language for security experts to discuss the technical details of how to check for the presence of vulnerabilities and configuration issues on local systems. The results of the discussions are collaboratively developed XML vulnerability, patch, and compliance definitions that are based on a common OVAL Schema and perform the checks. CVE names are used as the basis for all OVAL vulnerability definitions currently collected on the OVAL Web site. For each CVE name, there are one or more OVAL vulnerability definitions that measure the presence of that vulnerability on an end system. OVAL vulnerability definitions on the OVAL Web site can be searched by CVE name with entry or candidate status, and vulnerability definitions called up for review include CVE names."
— Pete Tasker, Executive Director, Security and Info Operations Division | Last Updated: April 30, 2007 |
|
National Institute of Standards and TechnologyQuote/Declaration: "The National Vulnerability Database contains all CVE information as well as vulnerability attribute information (e.g. vulnerable version numbers), direct access to U.S. government vulnerability resources, and annotated links to industry resources. The underlying data in the database is provided license free via an XML feed." | Last Updated: February 19, 2008 |
|
nCircle Network Security, Inc.Quote/Declaration: "nCircle actively supports standardization efforts in the security market, including the CVE's common lexicon for the vulnerability namespace. As a member of the CVE editorial board, we are committed to ensuring nCircle's IP360 product continues to support CVE names and provides customers with an enterprise-class complete lifecycle approach to vulnerability management. Ultimately, this enables customer to find and eliminate vulnerabilities before they can be exploited, ensure security policy compliance and meaningfully measure and manage business risk."
— Tim Keanini, CTO | Last Updated: November 8, 2004 |
|
NetClarityQuote/Declaration: "NetClarity is a strong proponent of the CVE dictionary. The Auditor family of appliances automatically audit networks and reports those vulnerabilities discovered by our patent-pending vulnerability assessment engine. With CVE-specific information and remediation instructions, we enable our customers to better manage their risks, comply with regulations, and protect their assets."
— Gary S. Miliefsky, CTO, CISSP, NetClarity, Inc. | Last Updated: February 14, 2006 |
|
netVigilance, Inc.Quote/Declaration: "The SecureScout line of vulnerability assessment solutions, fully supports CVE references; our speed and ease of use enable users to more efficiently verify CVE coverage." | Last Updated: April 5, 2005 |
|
NileSOFT Ltd.Quote/Declaration: "NileSOFT is proud to incorporate CVE in our product line. Our main products, Secuguard SSE (Host based Vulnerability Assessment Tool), Secuguard NSE (Network based Vulnerability Assessment Tool), mySSE for Web (Online PC Vulnerability Assessment Service), and LogCOPS (Enterprise Log Analysis and Management System) will continue to maintain the latest version of CVE." | Last Updated: April 30, 2007 |
|
NSFOCUS Information Technology Co., Ltd.Quote/Declaration: "CVE has made a significant effort to standardize the names for vulnerabilities, and adopting CVE names can help to eliminate the differences in vulnerability descriptions among different security products. NSFOCUS announces our full support of the CVE standard and will provide CVE output and CVE searchable support in our RSAS vulnerability assessment system and Eye of Ice intrusion detections system security products." | Last Updated: December 19, 2006 |
|
NX Security| Last Updated: April 30, 2007 |
|
QualysQuote/Declaration: "Qualys is pleased to support MITRE's CVE Initiative of standardizing vulnerability identification and has incorporated the CVE naming scheme into its QualysGuard Web Services Architecture."
— Gerhard Eschelbeck, CTO & Vice President of Engineering | Last Updated: February 24, 2004 |
|
Rapid 7, Inc.Quote/Declaration: "As the provider of NeXpose, an enterprise vulnerability management product developed to accurately identify security weaknesses in an enterprise network, Rapid7 supports the CVE standard. With the volume of new vulnerabilities being found, a standard such as CVE enables all security vendors to be clear about what exposures their products have found, enabling the security staff to better understand what is being reported by disparate security products and how to remedy the issue." | Last Updated: June 19, 2006 |
|
Red HatQuote/Declaration: "It is often confusing when the same security issues get fixed by different vendors in different ways with different names and descriptions. We see the CVE Initiative as the way to solve this problem, giving the community accurate information on which they can base their security decisions. We are working with MITRE to contribute and validate new entries as well as publish CVE entries in our security advisories."
— Mark Cox, Senior Director of Engineering | Last Updated: April 30, 2007 |
|
SAINT CorporationQuote/Declaration: "SAINT, WebSAINT, and SAINTbox vulnerability reports and tutorials include relevant CVE links, providing the user with easy reference to related information and a basis for determining the extent of each product's capabilities. SAINTmanager vulnerability reports and tutorials include relevant CVE links, providing the user with easy reference to related information and a basis for determining the extent of SAINTmanager's capabilities. SAINT, WebSAINT, and SAINTbox are also CVE searchable with a CVE cross-reference that maps the CVE entries to the SAINT tutorials, while SAINTmanager is CVE searchable with a CVE cross-reference that maps the CVE entries to the corresponding SAINTmanager vulnerability IDs. We will continue to keep all SAINT products updated with the latest CVE numbers as they become available." | Last Updated: April 30, 2007 |
|
Secure Elements, IncorporatedQuote/Declaration: "C5 EVM combines vulnerability information from a myriad of sources to provide the most complete coverage possible for our customers. By relying on CVE, C5 EVM seamlessly integrates the information, providing our customers the highest level of protection available."
— Dan Bezilla, CTO | Last Updated: April 30, 2007 |
|
SecureInfo CorporationQuote/Declaration: "SecureInfo RMS, award-winning certification and accreditation software, is CVE-compatible. Supporting CVE is an important part of our vision in providing continuous monitoring capabilities in support of FISMA and our customer's information security programs."
— Roberto R. Garcia, V.P. Product Engineering | Last Updated: February 19, 2008 |
|
Silicomp-AQLQuote/Declaration: "CVE compatibility ensures that administrators can easily use different security products in order to find additional information they need." Quote (French): "La compatibilité CVE permet aux administrateurs de naviguer entre les différents produits de sécurité, afin d'y trouver les compléments d'information dont ils ont besoin." | Last Updated: September 22, 2005 |
|
Sintelli Limited| Last Updated: February 24, 2004 |
|
Skybox Security Inc.Quote/Declaration: "Skybox Security supports standards such as CVE that promote interoperability of security products. Skybox View, our exposure risk management solution, uses CVE names in its vulnerability dictionary and cross-references these to vulnerabilities imported by all vulnerability scanners such as Nessus, eEye Retina, ISS Internet Scanner, Qualys, and other market leaders. By running attack simulations against a virtual model of the network, Skybox View reveals vulnerabilities, based on CVE names, that are truly critical because they lie along an attack path to critical business applications. The CVE Initiative allows security professionals to understand risks and exposures in terms that can be cross-referenced to other security products - a growing necessity as more and more solutions automate the risk management process." | Last Updated: April 5, 2005 |
|
Software in the Public Interest, Inc.Quote/Declaration: "Debian developers understand the need to provide accurate and up-to-date information of the security status of the Debian distribution, allowing users to manage the risk associated with new security vulnerabilities. CVE enables us to provide standardized references that allow users to develop a CVE-enabled security management process." | Last Updated: February 24, 2004 |
|
SymantecQuote/Declaration: "Symantec maintains one of the largest vulnerability databases available today. Consisting of over 9000 distinct vulnerability records, we have strived to maintain CVE compliance from the outset of the CVE Initiative." "Symantec fully supports an industry-wide standard for the indexing of vulnerabilities. Our public web sites (SecurityFocus and SecurityResponse), and our commercial alerting services (DeepSight Alert Services) fully conform to the CVE requirements. This allows our customers to search for, and research vulnerabilities and blended threats using this common nomenclature. Symantec's wide range of security products utilize the industry-leading vulnerability database and employ trusted, fast and automated response capabilities to identify threats identified by CVE." | Last Updated: Last Updated: October 19, 2005 |
|
ThreatGuard, Inc.Quote/Declaration: "Recognizing the importance of common indexing of known vulnerabilities, ThreatGuard has included CVE references in ThreatGuard VMS and ThreatGuard Traveler. These references are seamlessly integrated with the ThreatGuard Navigator client application, reports, and search engine. As we release new vulnerability tests, it is among ThreatGuard's top priorities to ensure CVE referencing is included and accurate, extending the efforts of the CVE initiative." | Last Updated: April 30, 2007 |
|
Trend Micro, Inc.| Last Updated: November 8, 2004 |
|
Watchfire CorporationQuote/Declaration: "Watchfire's AppScan automates web application security audits to help ensure the security and compliance of websites. The use of CVE referencing in AppScan further enhances the information available to our users concerning Web application security vulnerabilities by cross referencing such information with a list of industry standard names." | Last Updated: April 14, 2008 |
|
WebZcanQuote/Declaration: "WebZcan provides an easy-to-use, affordable, and weekly updated remote security scanning service for home users and small businesses that notifies them of the vulnerabilities in their systems and suggests remedial actions. We strongly believe that providing CVE compatibility in our services will simplify vulnerability naming and result in more effective remedial actions for our customers." | Last Updated: April 5, 2005 |
|
|
|
