CVE in the News

CVE in the News 2005

CVE in the News is a comprehensive monthly review of the news and other media's coverage of CVE. A brief summary of each news item is listed with its title, author (if identified), date, and media source.

December 2005

Date: 12/2/2005
Publication: SecurityFocus.com

Byline: Robert Lemos
Title: " Federal flaw database commits to grading system "

Excerpt or Summary:
CVE was mentioned as follows in an article about the U.S. National Vulnerability Database (NVD) : "NVD piggybacks on the Common Vulnerability and Exposures (CVE) [Initiative] ... The CVE, a listing of serious vulnerabilities maintained by the MITRE Corporation, expands on the Internet Catalog (ICAT)—a previous NIST project—that archived the vulnerabilities defined by the Common Vulnerability and Exposures list. The NVD team scored the vulnerabilities using an automated process. The CVE [List] only had about 80 percent of the information needed to give an exact score ... so the group has generated the scores based on the information at hand and labeled each one "approximate." The CVE definitions are one of the standards that the National Vulnerability Database depends on. The database also uses the Open Vulnerability and Assessment Language (OVAL) to describe the security issues in a standard language ... "

CVE is also mentioned in the article in a discussion of NVD's adoption of the Common Vulnerability Scoring System (CVSS) by Gerhard Eschelbeck, chief technology officer for Qualys, Inc. and "one of the founding members" of the CVSS team, who states: "The grading of the previous vulnerabilities on the CVE List solves a problem that hampered adoption of the Common Vulnerability Scoring System. With the introduction of CVSS as a standardized vulnerability scoring system, the question appeared, how do we go back and score all the historical vulnerabilities released? It is very encouraging to see NVD has taken on this big task, providing comprehensive CVSS scoring for even historical vulnerabilities."

NVD, CVE, and OVAL are sponsored by the U.S. Department of Homeland Security .

November 2005

Date: 11/21/2005
Publication: BusinessWire.com

Title: " NetClarity Upgrades Line of Vulnerability Management Appliances; Auditor Now Provides Multi-Appliance Correlation and VoIP Security Testing "

Excerpt or Summary:
CVE was included in a press release by NetClarity about the latest upgrade to their Auditor product line. CVE is first mentioned at the beginning of the release in a description of how the Auditor upgrade product works: " ... Auditor now has the capability of scanning VoIP network equipment, such as servers, switches, routers and handsets, for Common Vulnerabilities and Exposures (CVE) [names], the systemic cause of over 95 percent of all network security breaches."

CVE is also mentioned in a quote by Gary Miliefsky, NetClarity's chief technology officer, who states: "If you are considering deploying VoIP on the same network as your desktop computers and servers, you are at high risk of poor call quality, denial of service, breaches of privacy, integrity and availability. By removing your CVEs, you can quickly mitigate much of this risk. Because these packet-based networks are not very secure by default they are extremely susceptible to attacks such as Man in the Middle (eavesdropping and alerting) and Denial of Service (DoS). Auditor now enables customers to quickly find and remediate CVE that may lead to these types of attacks."

Finally, CVE is highlighted in a list of the new features of the latest release of Auditor: "Integration with the National Vulnerability Database [NVD], which is based on and synchronized with the MITRE CVE naming standard: this comprehensive cyber security vulnerability database enables customers to better understand how vulnerabilities impact their business and how to fix them as well as the latest threats against their [CVE names]."

Four NetClarity (formerly PredatorWatch, Inc.) products are listed on the CVE-Compatible Products and Services page, three of which—NetClarity Auditor Enterprise and Update Service, NetClarity Auditor 128 and Update Service, and NetClarity Auditor XL and Update Service—are " Officially CVE-Compatible ." NVD and CVE are sponsored by the U.S. Department of Homeland Security .

Date: 11/10/2005
Publication: ZATAZ News

Byline: D.B.
Title: " Common Malware Enumeration "

Excerpt or Summary:
CVE was mentioned briefly in this article, which was written in French, announcing that McAfee, Inc. has joined the CME Editorial Board and that McAfee said it would reference CME identifier information on its virus information library on the McAfee Web site. CVE is mentioned in the article when the author states that CME is similar to the Common Vulnerabilities and Exposures Initiative.

Common Malware Enumeration (CME) initiative—headed by US-CERT and MITRE along with numerous members of the anti-virus community—that aims to provide single, common identifiers to new virus threats (i.e., malware) to reduce public confusion during malware outbreaks. CME is "not an attempt to solve the challenges involved with naming schemes for viruses and other forms of malware, but instead aims to facilitate the adoption of a shared, neutral indexing capability for malware." CME, US-CERT, and CVE are sponsored by the U.S Department of Homeland Security .

Date: 11/3/2005
Publication: DAWN Sci-Tech World

Byline: Nizar Diamond Ali
Title: " Tips and tricks: Worming it out ."

CVE is mentioned when the author states: "Why CME has become so popular within a couple of weeks of its launch has much to do with its backers — US-CERT (Computer Emergency Readiness Team), and US Department of Homeland Security. MITRE Corporation manages CME under funding from US-CERT and DHS which also fund two similar projects, CVE (Common Vulnerabilities and Exposures), and OVAL (Open Vulnerability and Assessment Language)."

CVE, CME, OVAL, and US-CERT are sponsored by the U.S Department of Homeland Security .

Date: 11/1/2005
Publication: SC Magazine

Title: " Auditor Enterprise "

Excerpt or Summary:
CVE was mentioned in the first sentence of this product review article for NetClarity, Inc.'s Auditor Enterprise product. CVE is mentioned as follows: "Netclarity's distinctive green 1U rack mount Auditor Enterprise device is described as a CVE (Common Vulnerabilities and Exposures)-compliant network security system. It offers vulnerability assessment functions to help firms comply with corporate governance legislation by conducting an audit against pre-defined CVE vulnerabilities. This helps endpoint security by quarantining infected systems until they are remediated."

Four NetClarity, Inc. (formerly PredatorWatch, Inc.) products are listed on the CVE-Compatible Products and Services page, three of which—NetClarity Auditor Enterprise and Update Service, NetClarity Auditor 128 and Update Service, and NetClarity Auditor XL and Update Service—are " Officially CVE-Compatible ."

October 2005

Date: 10/6/2005
Publication: NewsFactor Magazine

Title: " CERT Pushes for Standard Malware Names "

Excerpt or Summary:
CVE was mentioned briefly in this article about the Common Malware Enumeration (CME) initiative—headed by US-CERT and MITRE along with numerous members of the anti-virus community—that aims to provide single, common identifiers to new virus threats (i.e., malware) to reduce public confusion during malware outbreaks. CVE is mentioned as follows: "A similar naming system already exists for vulnerabilities in software, which uses a Common Vulnerability and Exposure (CVE) identifier that includes the year in which it was identified and a sequential number." CME, US-CERT, and CVE are sponsored by the U.S Department of Homeland Security .

Date: 10/6/2005
Publication: Security Depot Online

Title: " McAfee, Inc. Supports Common Malware Enumeration Initiative to Help Alleviate Problems With Malware Naming "

Excerpt or Summary:
CVE was mentioned briefly in this article announcing that McAfee, Inc. has joined the CME Editorial Board and that McAfee said it would reference CME identifier information on its virus information library on the McAfee Web site" so that users could search for a threat by its identifying number as well as the virus name". Common Malware Enumeration (CME) initiative—headed by US-CERT and MITRE along with numerous members of the anti-virus community—that aims to provide single, common identifiers to new virus threats (i.e., malware) to reduce public confusion during malware outbreaks.

CVE is mentioned when the author states: "The effort is fashioned similarly to the Common Vulnerabilities and Exposures (CVE) initiative, which is also operated by MITRE in support of US-CERT for standard naming around all publicly known vulnerabilities."

CME, US-CERT, and CVE are sponsored by the U.S Department of Homeland Security .

Date: 10/6/2005
Publication: vnunet.com

Byline: Tom Sanders
Title: " Security industry adopts uniform virus names "

Excerpt or Summary:
CVE was mentioned briefly in this article about the Common Malware Enumeration (CME) initiative—headed by US-CERT and MITRE along with numerous members of the anti-virus community—that aims to provide single, common identifiers to new virus threats (i.e., malware) to reduce public confusion during malware outbreaks. CVE is mentioned as follows: "A similar naming system already exists for security vulnerabilities in software, which uses a Common Vulnerability and Exposure identifier that includes a sequential number and the year in which it was identified."

CME, US-CERT, and CVE are sponsored by the U.S Department of Homeland Security .

Date: 10/5/2005
Publication: MITRE Web Site

Title: " Common Malware Enumeration Initiative Now Available "

Excerpt or Summary:
CVE was mentioned briefly in this press release by US-CERT and MITRE Corporation formally announcing the launch of the Common Malware Enumeration (CME) . The release describes what CME is and isn't, discusses the CME Editorial Board, and mentions the address of the CME Web site . CVE is mentioned as follows: " Use of the CME identifier is completely voluntary, but it is hoped that the public will encourage anti-virus vendors to adopt CME identifiers. CME is similar to the Common Vulnerabilities and Exposures (CVE) initiative, which is also operated by MITRE in support of US-CERT. Experience with CVE shows that by adopting a neutral, shared identification method, effective information sharing can happen faster and with more accuracy. "

CME , US -CERT, and CVE are sponsored by the U.S Department of Homeland Security .

Date: 10/1/2005
Publication: ADTmag.com

Byline: Kathleen Ohlson
Title: " Online Treasure Chest for Security Pros "

Excerpt or Summary:
CVE was mentioned briefly in this Q&A article about the U.S. National Vulnerability Database ( NVD ) with Peter Mell, senior computer scientist at the National Institute of Standards and Technology (NIST) and creator of NVD. CVE is mentioned by Mell in response to a question about the source used by NVD for its vulnerability names and descriptions : "[NVD is] completely synchronized... with the people that run [CVE]."

NVD and CVE are sponsored by the U.S Department of Homeland Security . In addition, NIST is a member of the CVE Editorial Board and NVD is listed on the CVE-Compatible Products and Services page.

September 2005

Date: 9/2005
Publication: Virus Bulletin

Byline: Jimmy Kuo (McAfee, Inc.) and Desiree Beck (MITRE Corporation)
Title: " The Common Malware Enumeration Initiative "

Excerpt or Summary:
CVE was mentioned briefly in this article announcing the formation of the Common Malware Enumeration (CME) initiative—headed by US-CERT and MITRE along with numerous members of the anti-virus community—that aims to provide single, common identifiers to new virus threats (i.e., malware) to reduce public confusion during malware outbreaks. CME is " not an attempt to solve the challenges involved with naming schemes for viruses and other forms of malware, but instead aims to facilitate the adoption of a shared, neutral indexing capability for malware. "

CVE is mentioned by the authors of the article as follows: "CME is fashioned similarly to the Common Vulnerabilities and Exposures (CVE) initiative (http://cve.mitre.org), which is also operated by MITRE in support of US-CERT. As experience with CVE shows, once all parties have adopted a neutral, shared identification method, effective information sharing can happen faster and with more accuracy." CME, US-CERT, and CVE are sponsored by the U.S Department of Homeland Security .

Date: 9/2005
Publication: Software Development Magazine

Byline: Laurie O'Connell
Title: " False Protection: We count on firewalls and antivirus tools to keep our industry afloat. What if the cure is worse than the disease? "

Excerpt or Summary:
CVE names were used by the author of this article to illustrate the number and scope of threats that must be addressed by firewalls and anti-virus tools.

Date: 9/29/2005
Publication: SearchSecurity.com

Byline: Bill Brenner
Title: " Will US-CERT bring sanity to virus naming? "

CVE is mentioned in the article in a quote by Donald Hauser, information security engineer for The National Academy of Sciences (NAS) in Washington, D.C. , who states: "It would be nice to see viruses being given a uniform number or convention similar to what [The United States Computer Emergency Readiness Team (US-CERT)] uses for vulnerabilities -- the CVE [Common Vulnerabilities and Exposures] designation. That would be very helpful. Then the major players could give it any name they want but there would still be a common code. " CME, US-CERT, and CVE are sponsored by the U.S Department of Homeland Security .

Date: 9/22/2005
Publication: eWeek

Byline: Paul F. Roberts
Title: " US-CERT Malware Naming Plan Faces Obstacles "

CVE is mentioned in the article as follows: " The CME number and links to a description of the threat will appear on a MITRE Web site akin to the CVE (Common Vulnerabilities and Exposures) Web site. " CME, US-CERT, and CVE are sponsored by the U.S Department of Homeland Security .

August 2005

Date: 8/22/2005
Publication: Government Computer News

Byline: William Jackson
Title: " NIST relaunches database of IT vulnerabilities "

Excerpt or Summary:
CVE was included in this article about the U.S. National Vulnerability Database ( NVD ). "CVE is mentioned as follows: "[NVD] incorporates the Common Vulnerabilities and Exposures search engine, a standardized naming scheme for IT vulnerabilities developed by MITRE Corp. of Bedford, Mass., and supported by DHS. NVD also integrates other government resources, such as alerts and advisories from US-CERT." The article also describes what CVE is and isn't, provides the history of CVE, mentions that there are 200+ CVE-compatible products and services, and notes that "NVD synchronizes with CVE every four or five minutes."

The article also includes a quote from Steven M. Christey, Editor of the CVE List and information security engineer at MITRE, who states: "[NVD is] an excellent extension of CVE. It addresses a lot of needs people have been looking to CVE for, but that CVE was not intended to serve."

NVD and CVE are sponsored by the U.S Department of Homeland Security . In addition, NIST is a member of the CVE Editorial Board and NVD is listed on the CVE-Compatible Products and Services page.

Date: 8/17/2005
Publication: ComputerWorld

Byline: Linda Rosencrance
Title: " Brief: NIST launches new vulnerability database "

Excerpt or Summary:
CVE was included in this article about the U.S. National Vulnerability Database ( NVD ), which "integrates all publicly available U.S. government resources on vulnerabilities and provides links to industry resources, according to NIST." CVE is mentioned as follows: "It is built on a dictionary of standardized vulnerability names and descriptions called Common Vulnerabilities And Exposures."

NVD and CVE are sponsored by the U.S Department of Homeland Security . In addition, NIST is a member of the CVE Editorial Board and NVD is listed on the CVE-Compatible Products and Services page.

Date: 8/16/2005
Publication: The Engineer Online

Title: " Vulnerabilities Database "

Excerpt or Summary:
CVE was included in this article about the U.S. National Vulnerability Database ( NVD ). CVE is mentioned as follows: "NVD is built upon a dictionary of standardised vulnerability names and descriptions called Common Vulnerabilities and Exposures."

NVD and CVE are sponsored by the U.S Department of Homeland Security . In addition, NIST is a member of the CVE Editorial Board and NVD is listed on the CVE-Compatible Products and Services page.

Date: 8/15/2005
Publication: Federal Computer Weekly

Byline: Rutrell Yasin
Title: " NIST creates online treasure trove of security woes "

Excerpt or Summary:
CVE was included in this article about the U.S. National Vulnerability Database ( NVD )." CVE is mentioned as follows: "The database is built completely on the Common Vulnerabilities and Exposures (CVE) naming standard developed by representatives from academia, government and industry. Maintained by MITRE, CVE is a dictionary, not a database. It is designed to make it easier to share data among vulnerability databases and security tools. About 300 security products use CVE to identify vulnerabilities and facilitate interoperability among those products. NVD will aid that interoperability by enhancing the CVE name standard with detailed vulnerability information."

NVD and CVE are sponsored by the U.S Department of Homeland Security . In addition, NIST is a member of the CVE Editorial Board and NVD is listed on the CVE-Compatible Products and Services page.

Date: 8/15/2005
Publication: eWeek

Byline: Caron Carlson
Title: " NIST Unveils National Vulnerability Database "

Excerpt or Summary:
CVE was included in this article about the U.S. National Vulnerability Database ( NVD ), "a database of network vulnerabilities last week to give IT security professionals a clearinghouse to keep up with newly discovered weaknesses and learn ways to remediate them."

CVE is mentioned as follows: "Users can search the database for information on any vulnerability and are able to search by keyword or CVE (Common Vulnerabilities and Exposures) number. The system also contains information on all the technical alerts and vulnerability notes that the US-CERT publishes."

NVD, US-CERT, and CVE are sponsored by the U.S Department of Homeland Security . In addition, NIST is a member of the CVE Editorial Board and NVD is listed on the CVE-Compatible Products and Services page.

Date: 8/12/2005
Publication: Computer Business Review Online

Title: " Homeland Security launches vulnerability database "

Excerpt or Summary:
CVE was included in this article about the U.S. National Vulnerability Database ( NVD ). CVE is mentioned as follows: "Unlike the longstanding CVE list, maintained by The MITRE Corp, which is keyword searchable, the NVD is a database that allows users to slice and dice the data to more quickly look up specific types of vulnerabilities or specific vulnerable products."

NVD and CVE are sponsored by the U.S Department of Homeland Security . In addition, NIST is a member of the CVE Editorial Board and NVD is listed on the CVE-Compatible Products and Services page.

Date: 8/12/2005
Publication: SecurityFocus.com

Byline: Robert Lemos
Title: " NIST, DHS add national vulnerability database to mix "

Excerpt or Summary:
CVE was included in this article about the U.S. National Vulnerability Database (NVD), which according to the article is "the latest U.S. Department of Homeland Security initiative to boost the preparedness of the nation's Internet and computer infrastructure, as called for by the Bush Administration's National Strategy to Secure Cyberspace ."

CVE is mentioned when the author states: "[NVD only includes] public information in its collection... The project scans the C ommon Vulnerability and Exposures (CVE) , a listing of serious vulnerabilities maintained by the MITRE Corporation. The NVD expands on the Internet Catalog (ICAT), a previous NIST project, that archived the vulnerabilities defined by the Common Vulnerabilities and Exposures list."

CVE is also mentioned in a quote by Peter Mell, a senior computer scientist at NIST and the creator of the NVD, who states: "The CVE [names] are one of the standards that the National Vulnerability Database depends on. The database also uses the Open Vulnerability and Assessment Language (OVAL) to describe the security issues in a standard language." According to the article, "this reliance on standards gained the effort some plaudits from representatives of security companies that rely on such databases," including Gerhard Eschelbeck, chief technology officer of vulnerability assessment service for Qualys, Inc., who states: "We believe there is a need in the market for an aggregator to bring together all the information from all the different sources. But we want the organizations to use all the open standards."

NVD, US-CERT, OVAL, and CVE are sponsored by the U.S Department of Homeland Security . In addition, NIST is a member of the CVE Editorial Board and NVD is listed on the CVE-Compatible Products and Services page.

Date: 8/12/2005
Publication: GovTech.Net

Title: " NIST Launches National Database of Computer Vulnerabilities "

NVD and CVE are sponsored by the U.S Department of Homeland Security . In addition, NIST is a member of the CVE Editorial Board and NVD is listed on the CVE-Compatible Products and Services page.

Date: 8/10/2005
Publication: Federal Computer Weekly

Byline: Rutrell Yasin
Title: " NIST releases vulnerability database "

Excerpt or Summary:
CVE was mentioned in this article about the U.S. National Vulnerability Database ( NVD ), which "integrates all publicly available U.S. government vulnerability resources and provides references to industry resources. The Web site, nvd.nist.gov, contains about 12,000 vulnerability entries with around 10 being added per day."

CVE is mentioned as follows: "[NVD] is built completely on the Common Vulnerabilities and Exposures (CVE) naming standard, which was developed by representatives from academia, government and industry. Maintained by MITRE Corp., CVE is a dictionary, not a database. It is designed to make it easier to share data across separate vulnerability databases and security tools. About 300 security products use CVE to identify vulnerabilities and facilitate interoperability between those products. NVD will aid that interoperability effort by enhancing the CVE name standard with detailed vulnerability information."

NVD and CVE are sponsored by the U.S Department of Homeland Security . In addition, NIST is a member of the CVE Editorial Board and NVD is listed on the CVE-Compatible Products and Services page.

Date: 8/10/2005
Publication: ZDNet Government

Title: " National Vulnerabilities Database launched "

Excerpt or Summary:
CVE was included in this article about the U.S. National Vulnerability Database ( NVD ), "comprehensive collection of computer security weaknesses. NVD collates cybersecurity warnings from various US government sources, including the Computer Emergency Readiness Team (CERT). The database contains about 12,000 listings, with 10 a day being added." CVE is mentioned as follows: "The database is built on the Common Vulnerabilities and Exposures dictionary, a standard naming convention for computer vulnerabilities."

NVD and CVE are sponsored by the U.S Department of Homeland Security . In addition, NIST is a member of the CVE Editorial Board and NVD is listed on the CVE-Compatible Products and Services page.

Date: 8/8/2005
Publication: Infoworld.com

Byline: Victor R. Garza , Joseph L. Roth, Charles D. Herring
Title: " TippingPoint leans into network threats "

Excerpt or Summary:
CVE was used by the authors as a method for testing the product in this review of the TippingPoint 400 IPS. CVE names are mentioned when the authors state: "During manual testing with Core Impact, the TippingPoint 400 missed our exploits of the several-year-old IIS ASN.1 Bit String SPNEGO vulnerability (CVE-2003-0818) and the MS RPC DCOM vulnerability (CVE CAN-2003-0352) that Blaster made famous."

May 2005

Date: 5/2005
Publication: CrossTalk, The Journal of Defense Engineering

Byline: Robert A. Martin
Title: " Transformational Vulnerability Management Through Standards "

Excerpt or Summary:
CVE was a main topic in this article by CVE Compatibility Lead Robert A. Martin that discusses the U.S Department of Defense's (DOD) new enterprise licenses for vulnerability assessment and remediation tools that require using capabilities that conform to the CVE and OVAL standards efforts. The author states: "In combination with procedural changes, the adoption of these and other standards such as the National Security Agency's Extensible Markup Language Configuration Checklist Data Format, are making it possible to radically improve the accuracy and timeliness of the DOD's remediation and measurement activities, which are critical to ensuring the network and systems integrity of their network-centric warfare capabilities."

The author concludes the article as follows: "DoD is moving to its new process by requiring the inclusion of CVE names and standardized OVAL XML vulnerability and configuration tests in software supplier's alerts and advisories, and by acquiring tools that can import new and future OVAL XML test definitions and export their findings as standardized OVAL XML results. By also obtaining capabilities that can import the OVAL XML results for remediation, organizational status reporting, and generating certification and accreditation reports, the DoD will have created a focused, efficient, timely, and effective enterprise incident management and remediation process by adopting information security products, services, and methodologies that support the CVE naming standard and use OVAL test definitions and results schemas." "Collectively these changes will dramatically improve the insight and oversight of the security and integrity of the systems and networks underlying tomorrow's network- centric warfare capabilities."

Date: 5/15/2005
Publication: SD Times, The Industry Newspaper for Software Development Managers

Byline: Jennifer DeJong
Title: " Top Ten, Other Lists Catalog Security Threats "

Excerpt or Summary:
CVE was mentioned in this article as one of the "Internet resources [that aim] to identify application flaws developers may do battle with." The author mentions CVE as follows: "Another entry, the Common Vulnerabilities and Exposures (CVE) List (cve.mitre.org/cve), is not a database, per se. It aims to standardize the names for all publicly known vulnerabilities and security exposures. Maintained by the not-for-profit MITRE Corp., the listing is designed to make it easier to search for information in security databases, such as the one maintained by CERT/CC [www.kb.cert.org/vuln]."

In addition to the CERT/CC database, the article also mentions the Open Web Security Project Top Ten list, both of which are listed on the CVE-Compatible Products and Services page.

April 2005

Date: 4/25/2005
Publication: Computerworld

Byline: Jaikumar Vijayan
Title: " Sidebar: Security Forum's Demise Doesn't End Call for Help "

Excerpt or Summary:
CVE is mentioned in this article in a quote by Amit Yoran, former director of the National Cyber Security Division at the U.S. Department of Homeland Security, advocating the idea behind the CISO Exchange. The author of the article reports the quote as follows: "One example in which such [industry] participation has yielded substantial benefits is the widely used Common Vulnerabilities and Exposures [List], which is maintained by The MITRE Corp. in partnership with the government and various vendors, Yoran said."

CVE is sponsored by US-CERT at the U.S. Department of Homeland Security . MITRE Corporation maintains CVE and provides impartial technical guidance to the CVE Editorial Board on all matters related to ongoing development of CVE.

Date: 4/7/2005
Publication: NX Security Web Site

Title: " NX Security conquista certificação CVE "

Excerpt or Summary:
CVE compatibility was the main topic of this media notification by NX Security. In the notification, which is written in Portuguese, NX Security announces: "Em continuidade à trajetória de sucesso e excelência no que diz respeito aos serviços oferecidos na área de Segurança da Informação, a NX Security dá mais um passo importante e é a primeira empresa da América Latina a conquistar a certificação CVE. A certificação foi entregue no dia 05 de abril, no InfoSec World Conference, em Orlando, Flórida, EUA. Durante o evento, no qual a US-CERT (Divisão Nacional de Segurança na Internet) representou a NX Security. Foram declarados com compatibilidade CVE o NX-Entreprise e o NX-Express, serviços de detecção e reação de forma contínua contra as ameaças aos sistemas de informação."

The release further states: "Com isso, as soluções apresentadas pela NX Security para proteger e garantir uma maior cobertura nas atividades e aplicações das redes externas e internas possuem eficiência e exatidão ao determinar as vulnerabilidades e exposições detectadas. Isso acontece porque sendo compatível com os nomes CVE haverá uma padronização na avaliação feita pelas ferramentas e pela base de dados, permitindo, inclusive que estes possam comunicar-se entre si."

NX Security and its NX Enterprise and NX Express products are listed on the CVE-Compatible Products and Services page.

Date: 4/6/2005
Publication: ArcSight, Inc. Web Site

Title: " ArcSight ESM Awarded CVE Compatibility Certificate "

Excerpt or Summary:
CVE compatibility was the main topic of this press release by ArcSight, Inc. announcing that "The CVE Initiative, in a ceremony today, awarded the CVE Compatibility Certificate to ArcSight ESM." The release also includes a quote from Pravin Kothari, Vice President of Software Development at ArcSight, who states: "As the clear, independent standard for identification of vulnerabilities and information security exposures, CVE certification is critical for enterprise security management solutions. As the first enterprise class security management solution to receive CVE certification, ArcSight has empirical proof of its leadership in integrating vulnerability data into real-time and historic security management technology."

ArcSight, Inc. and ArcSight Enterprise Security Manager (ArcSight ESM) are listed on the CVE-Compatible Products and Services page.

Date: 4/6/2005
Publication: Yahoo Financial News

Title: " ArcSight ESM Awarded CVE Compatibility Certificate "

Excerpt or Summary:
This is a reprint of the ArcSight, Inc. press release above announcing that ArcSight Enterprise Security Manager (ArcSight ESM) is now officially CVE-Compatible. ArcSight, Inc. and ArcSight ESM are listed on the CVE-Compatible Products and Services page.

Date: 4/6/2005
Publication: MarketWire.com

Title: " ArcSight ESM Awarded CVE Compatibility Certificate "

Date: 4/6/2005
Publication: ArriveNet.com

Title: " ArcSight ESM Awarded CVE Compatibility Certificate "

Date: 4/6/2005
Publication: Skybox Security, Inc. Web Site

Title: " Skybox Security Recognized for CVE Compatibility "

Excerpt or Summary:
CVE compatibility was the main topic this press release by Skybox Security, Inc. announcing that it "has been formally recognized for Common Vulnerabilities and Exposures (CVE^™) compatibility for its enterprise software solution, Skybox View. The award, presented to Skybox at the MIS Technology Institute's InfoSec World Conference and Exposition, recognizes products that have incorporated MITRE Corporation's CVE standard names for security vulnerabilities and exposures to foster information sharing across security solutions. Skybox was one of ten companies receiving certification [at the event]."

The release also includes a quote from Gidi Cohen, Chief Strategy Officer for Skybox Security, who states: "Skybox Security is proud to be the first security risk management solution to be awarded CVE compatibility, as well as one the select few who have achieved the final phase of MITRE's formal CVE Compatibility Process. Skybox is actively committed to industry standards. With over 200 products and services declared CVE-compatible, the CVE Initiative is an important and influential community working toward the common purpose of better security."

Skybox Security, Inc. and Skybox View are listed on the CVE-Compatible Products and Services page.

Date: 4/5/2005
Publication: DesktopStandard Corporation Web Site

Title: " DesktopStandard's PolicyMaker Software Update Receives CVE Compatibility Award "

Excerpt or Summary:
CVE compatibility was the main topic of this press release announcing that DesktopStandard Corporation's "Group Policy-based patch management product, PolicyMaker Software Update, received the prestigious CVE Compatibility Award today from MITRE Corporation at the MIS Training Institute's InfoSec World Conference & Expo in Orlando, FL."

The release also includes a quote by Kevin Sullivan, product manager for PolicyMaker products, who states: "DesktopStandard builds solutions that comply with industry standards, and the accepted standard for vulnerability definitions is critical for us to support. We see CVE support as an essential step to protect our customers from security threats and provide them with the optimum solution for deploying software update policy across their networks. We build software to support entire networks, so we had better be compliant be with standards."

DesktopStandard Corporation and PolicyMaker Software Update are listed on the CVE-Compatible Products and Services page.

March 2005

Date: 3/2005
Publication: MITRE Corporation Web Site

Byline: Robert A. Martin
Title: " White Paper: Transformational Vulnerability Management Through Standards "

Excerpt or Summary:
CVE is a main topic of this MITRE white paper by CVE Compatibility Lead Robert A. Martin. The paper discusses the DOD's new enterprise licenses for vulnerability assessment and remediation tools that require using capabilities that conform to the CVE and OVAL standards efforts. A version of the paper was also published in the May 2005 issue of CrossTalk, The Journal of Defense Engineering .

Date: 3/2005
Publication: Security Innovation, Inc. Web Site

Byline: Richard Ford, Herbert H. Thompson, Fabien Casteran
Headline: " Role Comparison Report – Web Server Role "

Excerpt or Summary:
CVE was the underpinning for this study by Security Innovation, Inc. that compared Linux versus Windows in terms of security vulnerabilities. The authors state: "In our analysis, we refer to a vulnerability as distinct if it has its own CVE or CAN identifier." In a section entitled "MITRE CVE List" the study describes what CVE is, mentions the CVE Editorial Board, explains the difference between CVE names with official entry status and CVE names with candidate status, and includes links to the CVE Web site.

In addition, the authors used the National Institute of Standards and Technology's (NIST) ICAT database —which NIST describes as a "CVE Vulnerability Search Engine"—to determine the severity of each vulnerability identified in the study. NIST is a member of the CVE Editorial Board and ICAT is listed on the CVE-Compatible Products and Services page.

Date: 3/2005
Publication: Communication News

Byline: Gary Miliefsky
Headline: " Shore up your network "

Excerpt or Summary:
CVE is mentioned in this article when the author uses CVE names as synonyms when referring to vulnerabilities: "Once the appliance detects a new system or device, it should scan or audit that system as soon as possible for CVEs that a hacker could exploit."

Date: 3/2005
Publication: Online Glossary of Security Terms

Byline: WatchGuard Technologies, Inc.
Headline: " CVE-compatible "

Excerpt or Summary:
"CVE-compatible" is included as an entry in this online encyclopedia, along with the following description: "Common Vulnerabilities and Exposures (CVE) is a list of standardized names for vulnerabilities and other information security exposures, whose aim is to standardize the names for all publicly known vulnerabilities and security exposures. "CVE-compatible" means that a tool, Web site, database, or service uses CVE names in a way that allows it to cross-link with other repositories that use CVE names."

Date: 3/27/2005
Publication: Beyond Security Ltd. Web Site

Title: " Beyond Security Now CVE Compatible "

Excerpt or Summary:
CVE compatibility was the main topic of this press release by Beyond Security Ltd. announcing that its "Security Assessment Service is now [fully] CVE-compatible." The release also includes a quote by Aviram Jenik, CEO of Beyond Security, who states: "CVE compatibility may seem awfully techy to some, but we feel it is important to embrace the evolving standards necessary to better audit networks security vulnerabilities."

Beyond Security Ltd. and its Automated Scanning Appliance; Automated Scanning Service-External Scanning; Automated Scanning Service-Service Provider Platform; and Automated Scanning Service-Product Audits are listed on the CVE-Compatible Products and Services page.

Date: 3/27/2005
Publication: PRWeb.com

Title: " Beyond Security Now CVE Compatible "

Excerpt or Summary:
This is a reprint of the Beyond Security Ltd. press release above announcing that its Security Assessment Services are now officially CVE-Compatible. Beyond Security Ltd. and its Automated Scanning Appliance; Automated Scanning Service-External Scanning; Automated Scanning Service-Service Provider Platform; and Automated Scanning Service-Product Audits, are listed on the CVE-Compatible Products and Services page.

Date: 3/27/2005
Publication: Newspad.com

Title: " Beyond Security Now CVE Compatible "

Date: 3/2/2005
Publication: Webopedia

Headline: " CVE "

Excerpt or Summary:
CVE is included as an entry in this online encyclopedia, along with the following description: "CVE is a dictionary-type list of standardized names for vulnerabilities and other information related to security exposures. CVE aims to standardize the names for all publicly known vulnerabilities and security exposures. The goal of CVE is to make it easier to share data across separate vulnerable databases and security tools." The entry also includes a link to the CVE Web site.

Date: 3/1/2005
Publication: MarketWire.com

Headline: " Configuresoft CTO Dennis Moreau Tapped for OVAL Board "

Excerpt or Summary:
CVE was mentioned in this press release from Configuresoft, Inc. regarding the appointment of Dr. Dennis Moreau, chief technology officer for Configuresoft to the OVAL Board of industry representatives for the Open Vulnerability and Assessment Language ( OVAL ) project. The release mentions CVE when it states that OVAL vulnerability definitions are based upon CVE names : "OVAL builds upon Common Vulnerabilities and Exposures (CVE), a dictionary of standardized names and descriptions for publicly known information security vulnerabilities and exposures, developed by MITRE in cooperation with the international security community."

February 2005

Date: 2/22/2005
Publication: SmallBusinessComputing.com

Byline: Joseph Moran
Headline: " BUYER'S GUIDE: Is Your Network in Compliance? Call in Auditor 16 "

Excerpt or Summary:
CVE was mentioned in this product review of PredatorWatch , Inc.'s PredatorWatch Auditor 16 product. CVE is mentioned when the author describes how the product works: "Auditor 16 checks the audits it conducts against the CVE List, which is funded by the U.S. Department of Homeland Security and maintained by The MITRE Corporation . CVE is an abbreviation for Common Vulnerabilities and Exposures, and the CVE List is a standardized dictionary of thousands of publicly known security problems affecting a host of products. These include Windows and Linux-based servers like Web, mail, FTP and database applications, as well as operating systems, client applications, routers, firewalls and so forth." The author also refers to vulnerabilities as CVEs as he describes how he tested the product.

PredatorWatch, Inc. is listed on the CVE-Compatible Products and Services page and its PredatorWatch Auditor 16 and Update Service, PredatorWatch Auditor 128 and Update Service, and PredatorWatch Auditor Enterprise and Update Service were each awarded official "Certificates of CVE Compatibility" in November 2004.

Date: 2/22/2005
Publication: PCWorld.com

Byline: Paul Roberts
Headline: " How Serious Is That Security Flaw? Microsoft and Symantec are backing a plan to create a severity scoring system for software holes. "

Excerpt or Summary:
This article discusses the creation of the Common Vulnerability Scoring System (CVSS) and is a reprint of the article that appeared in Computerworld as described below.

Date: 2/18/2005
Publication: Computerworld.com

Byline: Paul Roberts
Headline: " RSA: Major companies tout new vulnerability rating system; The Common Vulnerability Scoring System was unveiled yesterday "

Excerpt or Summary:
This article discusses the creation of the Common Vulnerability Scoring System (CVSS), which if adopted "would provide a common language for describing the seriousness of computer security vulnerabilities and replace vendor-specific rating systems."

CVE is mentioned in a statement by Gerard Eschelbeck of Qualys, Inc.: "The new rating system will be akin to the Common Vulnerabilities and Exposures (CVE) database maintained by MITRE, which provides standard identifiers and information about software holes. As with CVE, vendors will most likely use CVSS ratings as a common base of reference but continue to offer their own analysis or threat assessments."

The article describes the CVSS proposal in detail and states that it is "part of a project by the National Infrastructure Advisory Council [NIAC] to create a global framework for disclosing information about security vulnerabilities." The article also notes that the new rating system was created by NIAC , which part of the U.S. Department of Homeland Security, and members of the IT industry including "eBay Inc., Qualys Inc., Internet Security Systems Inc. and MITRE Corp." Also mentioned in the article as supporting CVSS are "Cisco Systems Inc., Microsoft Corp. and Symantec Corp."

Of the organizations mentioned above, Cisco Systems Inc.; Internet Security Systems, Inc.; Qualys, Inc.; Microsoft Corporation; and Symantec Corporation are members of the CVE Editorial Board , and Cisco Systems Inc.; Internet Security Systems, Inc.; Qualys, Inc.; and Symantec Corporation are listed on the CVE-Compatible Products and Services page. In addition, MITRE Corporation maintains CVE, which is sponsored by US-CERT at the U.S. Department of Homeland Security , and provides impartial technical guidance to the Editorial Board on all matters related to ongoing development of CVE.

Date: 2/18/2005
Publication: Infoworld.com

Byline: Paul Roberts
Headline: " Major companies team on vulnerability rating system: Cisco, Microsoft, and Symantec are among the vendors promoting a standard for assessing software vulnerabilities "

Excerpt or Summary:
This article discusses the creation of the Common Vulnerability Scoring System (CVSS) and is a reprint of the article that appeared in Computerworld as described above.

Date: 2/8/2005
Publication: InternetNews.com

Byline: Sean Michael Kerner
Headline: " Microsoft Issues Major Patch Release in Feb. Cycle "

Excerpt or Summary:
CVE was mentioned throughout this article discussing the contents of eleven recent security bulletins from Microsoft Corporation. In addition to describing the issues covered by each bulletin, the article also includes the CVE candidate for each issue.

Microsoft Corporation is a member of the CVE Editorial Board and is listed on the Organizations with CVE Names in Vulnerability Advisories page.

Date: 2/2/2005
Publication: GRIDtoday

Headline: " ArcSight's Raffael Marty Appointed to MITRE OVAL Board "

Excerpt or Summary:
This article is based upon the ArcSight, Inc. news release announcing Raffael Marty's appointment to the OVAL Board of industry representatives for the Open Vulnerability and Assessment Language ( OVAL ) project. The release mentions CVE when it states that OVAL vulnerability definitions are based upon CVE names : "OVAL is based on Common Vulnerabilities and Exposures, a dictionary of standardized names and descriptions for publicly known information security vulnerabilities and exposures developed by The MITRE Corporation in cooperation with the international security community."

January 2005

Date: 1/2005
Publication: Answers.com

Headline: " CVE "

Excerpt or Summary:
CVE is included as an entry in this online encyclopedia, along with the following description: "CVE (Common Vulnerabilities and Exposures) - A list of information security exposures and vulnerabilities sponsored by US-CERT and maintained by the MITRE Corporation. The CVE mission is to provide standard names for all publicly known security exposures as well as standard definitions for security terms. The CVE can be searched online using the ICAT Metabase at www.icat.nist.cog/icat.cfm or downloaded in several formats from MITRE Corporation at www.cve.mitre.org/cve. See ICAT Metabase ."

National Institute of Standards and Technology's (NIST) ICAT database is listed on the CVE-Compatible Products and Services page, and NIST is a member of the CVE Editorial Board .

Date: 1/2005
Publication: AuditMyPC.com

Headline: " CVE "

Excerpt or Summary:
CVE is included as an entry in this online encyclopedia, along with the following description: "CVE is an acronym for Common Vulnerabilities and Exposures."

Date: 1/2005
Publication: InternetAdSales.com

Headline: " Common Vulnerabilities and Exposures (CVE) "

Excerpt or Summary:
CVE is included as a listing in the Resource Center section of this Web site under the "Internet Security & Firewalls" category. The listing includes the CVE name, a link to the CVE Web site, and a brief explanation that CVE is a "A searchable [list] of internet security problems."

Date: 1/26/2005
Publication: TechNewsWorld

Byline: Jennifer LeClaire
Headline: " Apple Issues Patch To Fix Security Hole in OS X "

Excerpt or Summary:
CVE is mentioned in this article about a security advisory from Apple Computer, Inc. when it refers to text on the Apple Web site that states: "Where possible, CVE (Common Vulnerabilities and Exposures) IDs are used to reference the vulnerabilities for further information."

Apple Computer, Inc. is listed on the Organizations with CVE Names in Vulnerability Advisories page.

Date: 1/20/2005
Publication: ITSecurity.com

Headline: " Secure Elements Enters Compatibility Phase of the Common Vulnerabilities and Exposures Evaluation Process "

Excerpt or Summary:
CVE compatibility was the main topic of this article about Secure Elements, Inc. making a declaration of its intent to make its Class 5 AVR automated vulnerability remediation product CVE-compatible. The article describes what CVE is and isn't, explains the CVE compatibility process, mentions the CVE Editorial Board, and includes a link to the CVE Web site.

The article states: "Secure Elements has completed the declaration phase of the two-step CVE certification process. In approximately three months the certification is expected to be complete and Secure Elements CLASS 5 AVR will be deemed "CVE compatible," a distinction certifying that the solution uses vulnerability names in a manner that allows them to be cross-referenced with other products that employ CVE names, ensuring enhanced interoperability and security for enterprises."

The article also includes a quote from Chief Technology Officer of Secure Elements Dan Bezilla, who states: "CLASS 5 AVR combines vulnerability information from a myriad of sources to provide the most complete vulnerability coverage possible for our customers. In working toward a CVE compatibility certification Secure Elements is demonstrating its dedication to better network security, as well as its commitment to providing zero-day exploit remediation to our customers when new vulnerabilities occur."

Secure Elements, Inc. and Class 5 AVR are listed on the CVE-Compatible Products and Services page.

Date: 1/18/2005
Publication: InternetNews.com

Byline: Sean Michael Kerner
Headline: " PredatorWatch Prowling For CVEs "

Excerpt or Summary:
CVE was mentioned throughout this article about PredatorWatch, Inc.'s PredatorWatch Auditor 16 product. The author states: "Buried inside the vast majority of security advisories and patches issued by vendors and the security community is a standardized naming convention called CVE ( Common Vulnerabilities and Exposures )." The author continues: "A new tool from security vendor PredatorWatch aims to take advantage of the CVE "dictionary" in order to provide a greater level of security than either a firewall or anti-virus solution alone can provide. The product does that by striking at the heart of the issue, vulnerability (in the form of CVE's) assessment itself."

The article describes what CVE is, mentions that it was launched in 1999, notes that the initiative is sponsored by US-CERT at the Department of Homeland Security, includes a link to the CVE Web site, and that "According to PredatorWatch, 95 percent of all network security breaches are the result of [CVE names]." The author further notes: "In PredatorWatch's opinion, [the vulnerabilities listed by CVE names] are at the root of most malware, Trojans and viruses." The article also includes a quote from Gary Miliefsky, PredatorWatch CEO, who states: "So if you have a common vulnerability and exposure/CVE on your computer that malware/Trojan/virus can take advantage of that and compromise you."

The article also includes a quote by CVE Compatibility Lead Robert A. Martin, who mentions that CVE names would be especially effective to help the media and IT managers to demystify viruses, worms, and malware: "They're not some magical creatures that can go through a solid surface. They have to take advantage of a flaw in your process or a flaw. If people were aware that these are open windows and doors maybe they would appreciate that closing those windows and locking those doors is a good idea."

PredatorWatch, Inc. is listed on the CVE-Compatible Products and Services page and its PredatorWatch Auditor 16 and Update Service, PredatorWatch Auditor 128 and Update Service, and PredatorWatch Auditor Enterprise and Update Service were each awarded an official "Certificate of CVE Compatibility" on November 18, 2004.

Date: 1/16/2005
Publication: ArcSight Web Site

Headline: " ArcSight's Raffael Marty Appointed to MITRE OVAL (Open Vulnerability [and] Assessment Language) Board "

Excerpt or Summary:
CVE was mentioned in this press release from ArcSight, Inc. regarding the appointment of Raffael Marty of ArcSight to the OVAL Board of industry representatives for the Open Vulnerability and Assessment Language ( OVAL ) project. The release mentions CVE when it states that OVAL vulnerability definitions are based upon CVE names : "OVAL is based on Common Vulnerabilities and Exposures (CVE^™), a dictionary of standardized names and descriptions for publicly known information security vulnerabilities and exposures developed by The MITRE Corporation in cooperation with the international security community."

Date: 1/4/2005
Publication: MarketWire.com

Headline: " Govplace Joins IBM as PredatorWatch Reseller: Govplace and PredatorWatch Make New Year's Resolution to Help Government, Education and Healthcare Organizations Stop Hackers, Increase Network Uptime and Comply With Regulations "

Excerpt or Summary:
CVE was mentioned in this press release by Govplace regarding their arrangement with PredatorWatch, Inc. as a reseller. CVE is mentioned in a statement about PredatorWatch's Auditor Enterprise: "The appliance provides true proactive network security by dynamically detecting and automatically quarantining Common Vulnerabilities and Exposures (CVEs) at the port level. CVEs are the weak spots on a network that are the systemic cause of over 95 percent of all network security breaches." The release also notes that CVE is a "federally funded list of CVEs maintained by the MITRE Corporation."

CVE is also mentioned in a quote by Gary Miliefsky, president and CEO of PredatorWatch, who states: "Auditor Enterprise enables Govplace to help these organizations proactively protect their networks by dynamically detecting, auditing and blocking CVEs, the real network security culprits which go largely undetected and uncorrected — especially from unknown and untrusted systems."

PredatorWatch, Inc. is listed on the CVE-Compatible Products and Services page and its PredatorWatch Auditor Enterprise and Update Service, PredatorWatch Auditor 128 and Update Service, and PredatorWatch Auditor 16 and Update Service were each awarded official "Certificates of CVE Compatibility" in November 2004.

In the News Archives:

For more information, please email cve@mitre.org

Page last updated: Friday, 30-Dec-2005 16:00:03 EST