CVE Editorial Board,
Several months ago, Red
Hat approached NIST with the idea of creating a public forum for the software
industry to comment upon the set of CVE vulnerabilities applicable to their
products. Today, Red Hat released a press announcement on the service (attached)
and I sent out an announcement on the National Vulnerability Database e-mail
list (below). It is my hope that the software development community will take
this opportunity to comment upon the CVE vulnerabilities related to their
products and that third-party IT security vendors will import the official vendor
statements into their products and services. We hope that this editorial board
will find the service useful and will participate as early adopters of the
service. Please send e-mail to firstname.lastname@example.org to
learn how to participate.
Database Program Manager
NVD is pleased to
announce a new service whereby we provide the software industry an open forum
to comment upon the set of CVE vulnerabilities discovered in their products.
Software vendors have the deepest knowledge about their products and thus are
uniquely positioned to comment on their vulnerabilities.
The set of
“official vendor statements” are available as an XML feed from the
NVD download page, http://nvd.nist.gov/download.cfm.
We encourage other vulnerability databases and services to incorporate these
vendor statements alongside their CVE vulnerability descriptions. The
statements are also available on the respective NVD vulnerability summary pages
organizations can submit official statements by contacting NVD staff (email@example.com). The capability exists both for
organizations to manually submit statements and for organizations to log into
NVD to issue and modify statements themselves. We recommend the log in
capability for organizations that are affected by more than a few CVE
We would like to thank
Red Hat, particular Mark Cox, for coming up with the idea for this service.
They recognized that the software industry needed an open forum in which they
could comment on the CVE vulnerabilities in their products. They approached NVD
with this idea and we started a pilot program in which Red Hat provided over
100 official statements regarding the CVE vulnerabilities. Each of these
statements added valuable details that were not always available from third
party security advisories.
Organizations can use the
service in a variety of ways. For example, they can provide configuration and
remediation guidance, clarify vulnerability applicability, provide deeper
vulnerability analysis, dispute third party vulnerability information, and
explain vulnerability impact.
It is our hope that the
software industry will actively participate in this open forum and that the
“official vendor statements” will be propagated throughout the 300+
products and services that use the CVE vulnerability naming standard (http://cve.mitre.org).
Database Program Manager