Endorsements

As is the case with any effort that attempts to establish a standard, the CVE Initiative is only as credible as those who support it. Here is a list of statements about CVE by several luminaries in the information security field.

• AXENT - Craig Ozancin
• BindView Corporation - Drew Williams
• CERT - Bill Fithen
• CyberSafe Corporation - Christian Byrnes
• Hiverworld, Inc. - Tom Stracener
• ISS - Christopher Klaus
• Max Vision Network Security/Whitehats - Max Vision
• Network Associates Inc. (NAI) - Chris Williams
• Purdue University CERIAS - Gene Spafford
• Symantec - Ron Moritz

AXENT

"AXENT is pleased to partner with MITRE on the CVE initiative to standardize vulnerability names and increase interoperability between security tools. This aligns with AXENT's Smart Security Architecture to provide the 'right' level of security for our customers."

- Craig Ozancin, Security Analyst, AXENT's SWAT Team

BindView Corporation

"As a founding member of the CVE initiative, BindView Corporation stands firmly behind MITRE's efforts to provide the first truly standardized lexicon of vulnerabilities. As the industry leader in security research, RAZOR is actively supporting this effort because of the market requirement for a more vendor-neutral approach to solving the growing problems of security. For too long, development interests and product limitations have driven what 'known vulnerabilities' was defined to be. The CVE initiative shifts the focus from product-centric to an industry-based model, requiring vendors to have a greater accountability to the whole security market - as well as to our specific customer. Moving forward, we plan to expand our security products to support the 'CVE-compatible' initiative."

- Drew Williams, BindView Security Segment Product Manager and spokesman for the RAZOR Security Team

"The CERT Coordination Center views the CVE as a important milestone in the establishment of a 'science of information assurance.' We see it both as a means and an end--it is a means to improve the objective quality of information exchanged among practitioners and it is also an end--a social experiment in collaboration among a varied group of academic, commercial, governmental, and other information assurance professionals. We believe that both of these aspects of the CVE are equally important and more than justify the efforts expended by the participants thus far.

CERT intends to contribute its accumulated knowledge and experience to this endeavor in the spirit of scientific community. We will begin directly contributing new CVE entries, as well as using existing CVE entries to annotate our published advisories, as well as electronic information we share privately with various information assurance professionals. We also intend to use the CVE advisory board as a catalyst for new relationships with the various sectors represented by the members of the board."

- Bill Fithen

CyberSafe Corporation

"Until now each vendor has developed their own list of 'known vulnerabilities' and then created ways of detecting and responding to them. CVE allows us to reduce the duplication of effort while at the same time improving service to our customers. In addition, I expect CVE to allow the development of third party training courses in Intrusion and Mis-use Management, thus opening the way to faster deployment and better network security everywhere."

- Christian Byrnes

"For over twenty years, the continuing development of sophisticated methods for ensuring electronic security has occurred in the absence of a common conceptual framework for vulnerabilities. CVE, in this respect, marks a pivotal point in the evolution of the security industry and will likely become an industry-standard Lingua Franka. Hiverworld is pleased to join with MITRE in this far-reaching initiative."

- Tom Stracener

"The CVE naming standard developed by MITRE represents a significant leap forward for the information security industry and end user community," said Christopher Klaus, founder and chief technology officer, Internet Security Systems. "As a technology pioneer and leading provider of security management software and services, ISS is pleased to be a part of this important initiative as we move toward a standard that is crucial to the effective protection of every organization's critical digital assets."

"The security community benefits greatly by using the CVE identifiers to enumerate vulnerabilities and exposures. The arachNIDS (Advanced Reference Archive of Current Heuristics for Network Intrusion Detection Systems) includes CVE identifiers and is CVE searchable to allow users to quickly reference related security information in other CVE compatible databases and resources. Beyond our referencing the CVE identifiers in our free Intrusion Detection signatures, we also believe the CVE dictionary would greatly benefit by referencing our detailed security event information for network borne attacks that we have documented at the packet level. The various security resources, integrated by use of the common CVE identifiers, will ultimately provide the security community with more free detailed security information."

- Max Vision, founder of Max Vision Network Security and Whitehats/arachNIDS

Network Associates Inc., (NAI)

"Network Associates has always believed that accurate, consistent and proactive communication is the key to preventing most security breaches today. We are pleased to be part of this important initiative to further simplify the network security arena."

- Chris Williams, manager, NAI Labs, Security Research Division, Newtwork Associates, Inc.

Purdue University CERIAS

"For science to advance it is necessary for scientists to communicate effectively about their work. For the first time, the CVE provides a basis for scientists to communicate clearly about security vulnerabilities. Coupled with our work in vulnerability classification, we see the study of security flaws and exposures beginning to transition from black art to considered science."

- Gene Spafford