CVE-Compatible Products and Services
The products and services listed below have achieved the final stage of MITRE's formal CVE
Compatibility Process and are now "Officially CVE-Compatible." Each organization's product is now eligible to use the CVE-Compatible Product/Service logo, and their completed and reviewed "CVE
Compatibility Requirements Evaluation" questionnaires are posted here and on the Organizations
Participating page as part of their product listings.
Products that have completed the compatibility process and are awaiting review by MITRE are posted below in the Compatible
- Under Review section.
Organizations are listed alphabetically:
A |
B |
C |
D |
E |
F |
G |
H |
I |
J |
K |
L |
M |
N |
O |
P |
Q |
R |
S |
T |
U |
V |
W |
X |
Y |
Z
Quote/Declaration: AdventNet is pleased to support CVE names in the vulnerability database of the
SecureCentral product line, as part of our commitment to embracing industry
standards.
| Application Security, Inc. |
|
Quote/Declaration: Application Security, Inc. is committed to delivering solutions that are compatible and interoperable with the IT security
environment at large. In the vulnerability management marketplace, that means speaking CVE. We've kept our SHATTER knowledgebase,
the world's most comprehensive list of database vulnerabilities and misconfigurations, up-to-date with CVE references since
2004.
— Josh Shaul, CTO
Quote/Declaration: As a pioneer and leading provider of security management solutions for the enterprise
ArcSight actively promotes and supports open systems standards such as CVE. ArcSight uses
cross-device correlation to detect sophisticated multi-source, multi-target attacks while
keying into the correct policies and procedures for response via the CVE names. It enables
security experts and IT managers to cross-correlate information and references about
different threats reported by disparate security products and solutions — a
necessity to understand the real impact of vulnerabilities and attacks.
Quote/Declaration: Assuria Auditor (formerly ISS System Scanner) was previously certified as ISS System
Scanner. Assuria have enhanced and added functionality and features around CVE reporting in
the product.
| Beijing Leadsec Technology Co., Ltd. |
Date Declared: March 13, 2011 |
| Beijing Venustech Security Inc. |
|
Quote/Declaration: Beijing Venustech Security Inc. provides users with a series of network security products, which along with our own independent
intellectual property, are compliant with the international standard, CVE. Beyond products, we deliver our customers life-cycle
services including consulting, design, implementation, maintenance, and training.
— Helen Wang
Quote/Declaration: Beyond Security Ltd.'s Automated Scanning provides users with a complete picture of the
security of their organization by leveraging the huge SecuriTeam.com knowledgebase. As
such, we see high importance for the CVE naming scheme, which provides a global independent
reference for known security vulnerabilities.
| Black Box Corporation |
Date Declared: March 29, 2010 |
Quote/Declaration: As a global leader in data, voice and enterprise security solutions, Black Box
Corporation (BBOX) fully supports the MITRE CVE® standard. We are pleased to
deploy our award winning CVE-compatible Veri-NAC appliances into the market with a faster,
less invasive vulnerability scanning system with direct links into the National
Vulnerability Database (NVD) for a deeper understanding of common vulnerabilities and
exposures as well as faster remediation.
Quote/Declaration: As a respected member of the MITRE CVE Editorial Board and a global leader in security,
Computer Associates International, Inc (CA) is fully committed to supporting the MITRE CVE
Initiative. With the increasing number of vulnerabilities, CA recognizes the need and the
importance for a common vulnerability naming and enumerating standard. CA Threat Research
Team leverages the CVE List by correlating our vulnerability database with the MITRE CVE
List. By providing this information to our customers through our Threat Management products
— eTrust Vulnerability Manager, and eTrust Policy Compliance, users can
quickly and accurately identify a common vulnerability name and number, and in addition
cross-reference this information with other sources and products that are
CVE-compatible.
Quote/Declaration: Catbird V-Security is a comprehensive security and compliance solution for virtual and
physical infrastructures, delivering best-practice security for Hypervisor, Guest VMs and
Policy/Regulatory Compliance. Cross-indexing the CVE in reports we present to our partners
and customers assists them in building effective security programs.
Quote/Declaration: Critical Watch supports MITRE's CVE program for standardizing a naming scheme for
vulnerabilities. Incorporating CVE names into our enterprise vulnerability management
solution enables our customers to act swiftly and confidently to collapse windows of
exposure.
— Nelson Bunker Chief Security Officer
| DragonSoft Security Associates, Inc. |
|
Quote/Declaration: DragonSoft Security Associates, Inc. believes that CVE provides the correct direction
to a uniform and consistent representation of vulnerabilities and exposures information. As
a company which research and design vulnerabilities and exposures detecting software, we
are very desirous to providing CVE compatible product to our customers that researches and
designs software for detecting vulnerabilities and exposures, we believe it is important to
provide CVE-compatible products to our customers.
Quote/Declaration: As a leader and innovation in the security industry, Easy Solutions, Inc. is pleased to
announce compatibility with the CVE Initiative
— Ricardo E. Villadiego, Regional Director, Americas, Easy Solutions,
Inc.
Quote/Declaration: eEye Digital Security is an innovative leader in vulnerability and security research,
providing security solutions that help businesses and users protect their systems and
intellectual property from compromise. eEye enables secure computing through world-renowned
research and innovative technology, supplying the world's largest businesses with an
integrated and research-driven vulnerability assessment, intrusion prevention, and client
security solution. eEye is pleased to support the CVE Initiative and will continue to
promote the standardization of the CVE naming convention and vulnerability identification.
| Fortinet, Inc. |
Date Declared: April 5, 2011 |
Quote/Declaration: Fortinet has been an established security vendor for some time, and regularly discovers third-party security vulnerabilities
for which we request CVE Identifiers from MITRE. We also monitor the security space, develop IPS signatures, and map/reference
the CVEs for all of these in our advisories and encyclopedia.
| FuJian RongJi Software Company, Ltd |
|
Quote/Declaration: FuJian RongJi Software Company, Ltd., in association with the Institute of High Energy
Physics, the Chinese Academy of Sciences, has developed the RJ-iTop Network Vulnerability
Scanner System, which provides CVE Output and is CVE Searchable. In addition, its database
is fully searchable by keyword or CVE name. We have made our product
compatible with CVE so that administrators can easily differentiate which is the best
product for them among the different security products.
— C. Shanmao Lin, RongJi Enterprise
Quote/Declaration: GFI recognizes the importance of standards in a field which is encountering even bigger
challenges, variation of attacks and abuses of IT systems. While searching for a standard
which will allow us to adhere to as well as encourage our customers to refer to
vulnerabilities in a particular format, we found a perfect synergy between our technology
and CVE. We believe that such integration will provide a common ground for our customers
and security administrators out there to share and unify experiences against these ever
increasing threats.
Quote/Declaration: Globant is pleased to support MITRE's initiative of standardizing
vulnerability identification in our managed security services.
The adoption of MITRE's CVE standard benefits users, community and vendors
by providing a consistent and single way of identifying vulnerabilities
across different products.
| H3C Technologies Co., Limited |
|
Quote/Declaration: H3C Technologies Co., Limited has made our IPS product compatible with CVE for the
benefit of our customers and to support industry standards.
| Hangzhou DPtech Technologies Co., Ltd. |
Date Declared: March 23, 2011 |
Quote/Declaration: Hangzhou DPtech Technologies Co., Ltd. is pleased to support MITRE on the CVE effort to standardize vulnerability identification
not only for the security industry, but for our customers. DPtech IPS2000, our network-based intrusion prevention system,
and DPtech Scanner1000, our network and application vulnerability assessment scanner, have incorporated CVE names to provide
the most valuable information for our customers.
Quote/Declaration: IBM actively promotes, supports, and contributes to the emerging open systems standards
such as CVE that enable technology management software such as IBM Tivoli Risk Manager and
IBM Tivoli Security Operations Manager, intrusion detection, vulnerability assessment, and
security management components to inter-operate and share management information. We know
that open system standards are a critical step in this direction. We support CVE as the
first and the most complete naming convention for vulnerability mapping in the industry and
we are committed to using CVE within our product in a tightly integrated fashion.
| IBM Internet Security Systems |
|
Quote/Declaration: The CVE naming standard developed by MITRE represents a significant leap forward for
the information security industry and end user community. As a technology pioneer and
leading provider of security management software and services, IBM Internet Security
Systems is pleased to be a part of this important initiative as we move toward a standard
that is crucial to the effective protection of every organization's critical digital
assets.
— Christopher Klaus, Founder and Chief Technology Officer
| Information Risk Management Plc |
|
Quote/Declaration: IRM ensures that clients acquire and maintain the core elements of information security
by providing product-independent, expert, and impartial consulting services to
organisations wishing to examine and improve the security of their information assets. It
is essential that open and standardised vulnerability descriptions and metrics integrate
into IRM's methodology and output so that clients may be assured of a common reference to
findings and recommendations. CVE provides such a mechanism and is vital in providing
meaningful security threat results.
| Information-technology Promotion Agency, Japan (IPA) |
|
Quote/Declaration: IPA is proud to incorporate CVE in our product line. Our main product, JVN iPedia is a
vulnerability database that stores summary and countermeasure information on domestic and
overseas software products used in Japan. JVN iPedia is equipped with search functions
(Keyword, Product, CVSS, CVE, etc.) and RSS feeds, which provides the accumulated data in a
comprehensive manner.
| InfoSec Technologies Co., Ltd. |
|
| Japan Computer Emergency Response Team Coordination Center (JPCERT/CC) and
Information-technology Promotion Agency, Japan (IPA)
|
|
Quote/Declaration: Under the Information Security Early Warning Partnership in Japan, IPA receives private
vulnerability reports and JPCERT/CC coordinates with developers to prepare patches or
remedies. JVN provides infomation such as solution, vulnerability analysis by JPCERT/CC,
and vender notes. JVN contains CVE information as well as vulnerability attribute
information.
Quote/Declaration: Kingnet Security plays a leading role in network security industry in China. We want
our KIDS intrusion detection system to be compatible to the CVE standard so as to bring as
much value to our customers as possible.
Quote/Declaration: LANDesk Security and Patch manager supports the CVE naming standard, it's a simple and
practical way to ensure that a vulnerability definition means the same thing to different
people.
| Legendsec Technology Co. Ltd |
|
Quote/Declaration: For the benefit of our customers, we believe it is important to be
fully compatible with the international CVE standard.
Quote/Declaration: The CSI service of laboratory LEXSI gathers applications and services offering a
coherent and complete IT security watch solution to its subscribers. At the core of the
CSI, ten experts supervise new security failures, carry out integrity tests, provide manual
avoidance solutions, reference and enrich the Vulnerabilities Database. Compatibility
between referred vulnerabilities and CVE dictionary provides to our subscribers and
partners full interworking of our watch system with all third party products and
services.
Le service CSI du laboratoire LEXSI regroupe un ensemble d'applications
et de services à même d'offrir à ses
abonnés une solution cohérente et complète de
veille en sécurité informatique. Au coeur du CSI, une dizaine
d'experts surveille l'apparition de failles de sécurité,
effectue des tests d'intégrité, élabore des
solutions de contournement, référence et enrichit la Base de
Vulnérabilités. La compatibilité entre les
vulnérabilités
référencées et le dictionnaire CVE offre
à nos abonnés et partenaires
l'interopérabilité totale de notre système de
veille avec l'ensemble des services et produits tiers.
Quote/Declaration: Lumension Security (formerly PatchLink Corporation) is in the vulnerability management
business and as such fully recognizes the value of using CVE names. All of our patches have
CVE codes in them.
Quote/Declaration: Because of today's ever changing threats, and vulnerability data a consent must be had
to properly identify each. In the malicious code area these naming conventions exist and
are very beneficial. The MITRE CVE program provides a naming standard that can be relied on
when there is confusion or no standards agreed upon providing a method by which system
administrators and other users can search the Internet to get the information on the same
vulnerability via various sources.
— Carl Banzhof - Vice President and Chief Technology Evangelist,
McAfee
Quote/Declaration: OVAL provides a common language for security experts to discuss the technical details
of how to check for the presence of vulnerabilities and configuration issues on local
systems. The results of the discussions are collaboratively developed XML vulnerability,
patch, and compliance definitions that are based on a common OVAL Schema and perform the
checks. CVE names are used as the basis for all OVAL vulnerability definitions currently
collected on the OVAL Web site. For each CVE name, there are one or more OVAL vulnerability
definitions that measure the presence of that vulnerability on an end system. OVAL
vulnerability definitions on the OVAL Web site can be searched by CVE name, and vulnerability definitions called up for review
include CVE
names.
— Pete Tasker, Executive Director, Security and Info Operations Division
| National Institute of Standards and Technology |
|
Quote/Declaration: The National Vulnerability Database contains all CVE information as well as
vulnerability attribute information (e.g. vulnerable version numbers), direct access to
U.S. government vulnerability resources, and annotated links to industry resources. The
underlying data in the database is provided license free via an XML feed.
| nCircle Network Security, Inc. |
|
Quote/Declaration: nCircle actively supports standardization efforts in the security market, including the
CVE's common lexicon for the vulnerability namespace. As a member of the CVE editorial
board, we are committed to ensuring nCircle's IP360 product continues to support CVE names
and provides customers with an enterprise-class complete lifecycle approach to
vulnerability management. Ultimately, this enables customer to find and eliminate
vulnerabilities before they can be exploited, ensure security policy compliance and
meaningfully measure and manage business risk.
— Tim Keanini, CTO
Quote/Declaration: NetClarity is a strong proponent of the CVE dictionary. The Auditor family of
appliances automatically audit networks and reports those vulnerabilities discovered by our
patent-pending vulnerability assessment engine. With CVE-specific information and
remediation instructions, we enable our customers to better manage their risks, comply with
regulations, and protect their assets.
— Gary S. Miliefsky, CTO, CISSP, NetClarity, Inc.
Quote/Declaration: Netcraft is pleased to be able to offer mappings between its vulnerability scanner and
the CVE dictionary. We see CVE as an important security administration tool, linking our
services to a wider variety of other security devices, services and sources of security
information.
Quote/Declaration: The SecureScout line of vulnerability assessment solutions, fully supports CVE
references; our speed and ease of use enable users to more efficiently verify CVE
coverage.
| Neusoft Corporation |
Date Declared: January 25, 2011 |
Quote/Declaration: NileSOFT is proud to incorporate CVE in our product line. Our main products, Secuguard
SSE (Host based Vulnerability Assessment Tool), Secuguard NSE (Network based Vulnerability
Assessment Tool), mySSE for Web (Online PC Vulnerability Assessment Service), and LogCOPS
(Enterprise Log Analysis and Management System) will continue to maintain the latest
version of CVE.
| NSFocus Information Technology (Beijing) Co., Ltd. |
|
Quote/Declaration: CVE has made significant efforts to standardize the names for vulnerabilities,
eliminate the potential gap in security coverage and provide easier interoperability among
different security products. NSFocus strives to deliver customers the enhanced security by
series of products with full support for the CVE standard.
| Offensive Security |
Date Declared: November 16, 2010 |
| Packet Storm |
Date Declared: October 20, 2011 |
Quote/Declaration: Packet Storm Security, the Internet's largest free security web site housing tools, exploits, advisories, papers, and more,
includes CVE names.
Quote/Declaration: Qualys is pleased to support MITRE's CVE Initiative of standardizing vulnerability
identification and has incorporated the CVE naming scheme into its QualysGuard Web Services
Architecture.
— Wolfgang Kandek, CTO & Vice President of Engineering
Quote/Declaration: As a leader in both vulnerability management and penetration testing, Rapid7 appreciates MITRE's efforts to provide unique
CVE Identifiers across both of these areas. This enables our customers to easily reference vulnerabilities and exploits across
systems.
Quote/Declaration: It is often confusing when the same security issues get fixed by different vendors in
different ways with different names and descriptions. We see the CVE Initiative as the way
to solve this problem, giving the community accurate information on which they can base
their security decisions. We are working with MITRE to contribute and validate new entries
as well as publish CVE entries in our security advisories.
— Mark Cox, Senior Director of Engineering
Quote/Declaration: RSA Archer eGRC Solutions are knowledge management system for the collection, management and distribution of critical security
content such as vulnerabilities, technical baselines, control standards and information security policies as they relate to
specific risk that IT assets face within the enterprise. The RSA Archer eGRC Solutions suite strongly supports the CVE standard,
which greatly assists in our integration with other security products and vendors. The CVE mapping enables our clients to
intelligently analyze, cross reference and search vulnerabilities that affect their organization.
| Rsam |
Date Declared: February 7, 2011 |
Quote/Declaration: Rsam's Enterprise GRC platform has integrated CVE throughout all vulnerability management and assessment modules. Since 2005,
customers have utilized Rsam and CVE to declare, search, and reporting on common vulnerabilities, and to harmonize common
vulnerability data across disparate data sources.
Quote/Declaration: SAINT, WebSAINT, and SAINTbox vulnerability reports and tutorials include relevant CVE
links, providing the user with easy reference to related information and a basis for
determining the extent of each product's capabilities. SAINTmanager vulnerability reports
and tutorials include relevant CVE links, providing the user with easy reference to related
information and a basis for determining the extent of SAINTmanager's capabilities. SAINT,
WebSAINT, and SAINTbox are also CVE searchable with a CVE cross-reference that maps the CVE
entries to the SAINT tutorials, while SAINTmanager is CVE searchable with a CVE
cross-reference that maps the CVE entries to the corresponding SAINTmanager vulnerability
IDs. We will continue to keep all SAINT products updated with the latest CVE numbers as
they become available.
| SECUI.COM Corporation |
Date Declared: June 22, 2011 |
Quote/Declaration: With the increasing number of vulnerabilities in various areas, it is worthwhile to define a common vulnerability naming and
enumerating standard such as CVE List. By providing this information to our customers through our product, they can quickly
and accurately identify vulnerabilities. Especially, customers can cross-link the information with other CVE-Compatible products
and services.
Quote/Declaration: Secunia constantly monitors and reviews CVE entries to ensure that these are appropriately and accurately matched with the
verified Secunia Vulnerability Intelligence provided in our Advisories, Secunia PSI, Secunia CSI, Secunia OSI, Secunia VIM,
and on our Web site.
| Secure Elements, Incorporated |
|
Quote/Declaration: C5 EVM combines vulnerability information from a myriad of sources to provide the most
complete coverage possible for our customers. By relying on CVE, C5 EVM seamlessly
integrates the information, providing our customers the highest level of protection
available.
— Dan Bezilla, CTO
Quote/Declaration: SecureInfo RMS, award-winning certification and accreditation software, is
CVE-compatible. Supporting CVE is an important part of our vision in providing continuous
monitoring capabilities in support of FISMA and our customer's information security
programs.
— Roberto R. Garcia, V.P. Product Engineering
Quote/Declaration: CVE compatibility ensures that administrators can easily use different security
products in order to find additional information they need.
Quote/Declaration: Skybox Security supports standards such as CVE that promote interoperability of
security products. Skybox View, our exposure risk management solution, uses CVE names in
its vulnerability dictionary and cross-references these to vulnerabilities imported by all
vulnerability scanners such as Nessus, eEye Retina, ISS Internet Scanner, Qualys, and other
market leaders. By running attack simulations against a virtual model of the network,
Skybox View reveals vulnerabilities, based on CVE names, that are truly critical because
they lie along an attack path to critical business applications. The CVE Initiative allows
security professionals to understand risks and exposures in terms that can be
cross-referenced to other security products - a growing necessity as more and more
solutions automate the risk management process.
| Software in the Public Interest, Inc. |
|
Quote/Declaration: Debian developers understand the need to provide accurate and up-to-date information of
the security status of the Debian distribution, allowing users to manage the risk
associated with new security vulnerabilities. CVE enables us to provide standardized
references that allow users to develop a CVE-enabled security management process.
Quote/Declaration: Symantec maintains one of the largest vulnerability databases available today.
Consisting of over 9000 distinct vulnerability records, we have strived to maintain CVE
compliance from the outset of the CVE Initiative.
Symantec fully supports an industry-wide standard for the indexing of vulnerabilities.
Our public web sites (SecurityFocus and SecurityResponse), and our commercial alerting
services (DeepSight Alert Services) fully conform to the CVE requirements. This allows our
customers to search for, and research vulnerabilities and blended threats using this common
nomenclature. Symantec's wide range of security products utilize the industry-leading
vulnerability database and employ trusted, fast and automated response capabilities to
identify threats identified by CVE.
| Tenable Network Security Inc. |
|
Quote/Declaration: Tenable Network Security utilizes the CVE program to reference each of the vulnerabilities detected by Nessus and the Passive
Vulnerability Scanner. This information is also heavily used through SecurityCenter for reporting, education, IDS event correlation
and linking with third-party security information.
Quote/Declaration: Recognizing the importance of common indexing of known vulnerabilities, ThreatGuard has
included CVE references in ThreatGuard VMS and ThreatGuard Traveler. These references are
seamlessly integrated with the ThreatGuard Navigator client application, reports, and
search engine. As we release new vulnerability tests, it is among ThreatGuard's top
priorities to ensure CVE referencing is included and accurate, extending the efforts of the
CVE initiative.
| TippingPoint Technologies |
|
Quote/Declaration: TippingPoint is in the business of simplifying security. We are a strong proponent of
MITRE's CVE standards initiative.
Quote/Declaration: We have aligned our service/appliance FAV with the CVE vulnerabilities standard for the
benefit of our customers.
| TrustSign |
Date Declared: December 28, 2011 |
Quote/Declaration: TrustSign is a certificate authority and a security company that works to identify and correct common vulnerabilities in enterprise
networks and service providers. We believe that it is important to our services and clients to be a fully compatible with
the CVE standard.
Quote/Declaration: WinsTechnet.co., Ltd. is pleased to support MITRE on the CVE effort to standardize vulnerability identification not only for
the security industry, but for our customers. SNIPER IPS, our network-based intrusion prevention system, and SecureCast, our
vulnerability database, have incorporated CVE names to provide the most valuable information for our customers.
| Xi'an Jiaotong University Jump Network Technology Co., Ltd. |
|
Quote/Declaration: We have incorporated CVE to improve the quality of our product.
Under Review
|
