Shostack + Friends Blog Archive


Happy Birthday, CVE!


The sixth presentation was based on a paper titled “Towards a Common
Enumeration of Vulnerabilities
” by David E. Mann and Steven M. Christey
from the MITRE Corporation. This presentation also generated considerable
interest from the audience. They tackled the problem of dealing with
several heterogeneous vulnerability databases and presented the Common
Vulnerability Enumeration (CVE) mechanism for sharing of vulnerability
data. They related the CVE to current practices on vulnerability data

From the “2nd Workshop on Research with Security Vulnerability Databases” writeup in IEEE Cipher. From a recent email to the CVE editorial board:

Our CVE compatibility evaluation program has continued to grow, with
Bob Martin’s leadership. Now, over 230 products and services, from
140+ organizations, have at least declared their intentions for CVE
compatibility. 53 products have obtained official “CVE Compatible”
status, with another set of products to be announced soon.

All from one talk, seven years ago, and an awful lot of hard work along the way.

(Disclosure: I’m working with MITRE on a CVE related project.)