CVE Adoption and Compatibility Process

The CVE Adoption and Compatibility Process is a multi-step progression that starts with an organization becoming aware of CVE and its potential value to their customers followed by the organization deciding to adopt and support CVE within their offerings and declaring their information security products and services as CVE-compatible and culminating in a formal review and evaluation process where the CVE-compatible declaration is formally evaluated.

Compatible products and services are listed on the CVE-Compatible Products and Services page and are viewable alphabetically by category type, by product name, by organization name, and by country. This information is also included on handouts at information security and related tradeshows and events at which MITRE exhibits CVE (see the CVE Calendar of Events).

Table of Contents

1. Introduction
2. Phase 1 – "Declaration" of CVE Compatibility
3. Phase 2 – CVE Compatibility Requirements "Evaluation"
4. Summary of the Process
5. Contact and Submission Instructions

Introduction

The CVE Adoption and Compatibility Process involves two phases. The first, called the Declaration Phase, consists of registering an organization’s declaration of intent to make their product(s) and/or service(s) CVE-compatible. An organization must complete phase 1 before starting phase 2. The second phase, called the Evaluation Phase, requires the completion of a questionnaire that specifically looks for the details of how the organization has satisfied the "Requirements and Recommendations for CVE Compatibility." Organizations that successfully complete the second phase will be included in a branding program that offers an official CVE-Compatible Product/Service logo to indicate compatibility. The logo is authorized for use on Web sites, publicity and marketing materials, trade show and other signage, product packaging, etc.

Phase 1 – "Declaration" of CVE Compatibility

The Declaration Phase consists of an organization reviewing the compatibility requirements and then making a declaration stating that their product or service fulfills, or will fulfill, the CVE compatibility requirements. As part of this phase, MITRE works with perspective organizations to help them understand what CVE support is and how it can bring value to the organization’s customers and improve the ways organizations can leverage CVE.

Once the declaration is reviewed, the following information will be listed on the compatible products/services page (provided the products or services are commercially available when we post the declaration):

1. Organization name
2. Web site address
3. Quote: a brief sentence or two of how and why the organization is participating in the CVE Initiative
4. Product/Service name with URL link to organization’s product page
5. Product/Service Type: category of information security product or service
6. CVE Readiness: CVE searchable, CVE output, and CVE documentation is available or not yet available
7. Compatibility Questionnaire: posted for review when available

Only organizations that complete the declaration phase will receive the "CVE Compatibility Requirements Evaluation Form," starting phase 2. These organizations will also receive a "Compatible Product/Service Organization Welcome Kit" with items for their Web site including:

• a CVE link button that can be used on their website to link to the CVE main site
• CVE/compatibility FAQ question and answer
• CVE/compatibility glossary term and definition
• and a brief HTML description of CVE.

Any or all of these may be used on the organization’s Web site.

The first phase of the adoption and compatibility process is initiated by requesting the "CVE Compatibility Declaration Form" in an email request to cve@mitre.org. This form, which can be filled out fairly quickly, should be emailed back to cve@mitre.org.

Phase 2 – CVE Compatibility Requirements "Evaluation"

The second phase of the adoption and compatibility process involves a formal review and evaluation process. In this phase, organizations have completed the declaration phase, and must now complete the "CVE Compatibility Requirements Evaluation Form." This phase 2 questionnaire form requires that the organization state specific and verifiable details about how it has satisfied the compatibility requirements. MITRE will then review the form, and verify that the descriptions about the organization’s capabilities match the requirements.

Once the form is received by MITRE, the review period will begin. Upon successful completion of the evaluation of the submitted questionnaire, the organization will be contacted and informed of MITRE’s concurrence with their questionnaire responses and their completion of the evaluation phase. The submitting organization’s information will then be updated on the compatible products/service page to include the phase 2 questionnaire material.

For organizations completing this phase of the process, the following information will be listed on the CVE-Compatible Products/Services page:

• Updated versions of the information contained in the organization’s declaration.
• The responses from the CVE Compatibility Requirements Evaluation Form questionnaire.

At this point they will receive an official CVE-Compatible Product/Service logo to indicate compatibility. Logo use recommendations and restrictions will be supplied at that time.

While this second phase takes more effort than the first it has been designed to minimize the expense to both while still working to make sure an organization’s capability correctly and effectively support CVE. The approach avoids an evaluation process that would make it too expensive for freeware or smaller software vendors to obtain compatibility. By using the questionnaire and statement of compatibility the level of effort is kept reasonable, while making a good effort to verify that the submitting organization properly understands and correctly implements the CVE compatibility requirements. The publication of the organization’s statement on the CVE Web site allows end users and prospective customers to compare how different products satisfy the requirements and then the market can then decide which specific implementations are best.

To initiate participation at this level of the process you must first complete the declaration phase. Feel free to direct your customers to your listing on the CVE Web site.

Summary of the Process

Phase 1 – The Declaration Phase:

1. Review the "Requirements and Recommendations for CVE Compatibility" document.
2. Review the existing declarations listed on the CVE-Compatible Products/Services page.
3. Send an email to cve@mitre.org requesting the "CVE Compatibility Declaration Form."
4. Email the completed form to cve@mitre.org.
5. MITRE sends the declaration form and the "Compatible Product Service Organization Welcome Kit."
6. If CVE Output, CVE Searchability, and CVE Documentation responses are all "yes," proceed to phase 2. If not, wait and then notify MITRE when these are completed.

Phase 2 – The Evaluation Phase:

7. Upon completion of phase 1, MITRE sends the "CVE Compatibility Requirements Evaluation Form" questionnaire, along with a sample of a completed form.
8. Print out, sign, and mail the completed form to the address supplied on the form, along with copies of any supporting documentation.
9. Email an electronic copy of the completed form and any supporting documentation to cve@mitre.org.
10. The completed questionnaire will be posted and made available on the CVE website. Upon notification from MITRE, the organization is listed as CVE-compatible on the CVE Web site; the organization also receives authorization to use the CVE-Compatible Product/Service logo for the specified product(s) or service(s).
    

Contact and Submission Instructions

To begin the registration process, review the official CVE Compatibility Process detailed above then send an email to cve@mitre.org requesting the Declaration Form along with your company name and contact information, the type of product, and the name of the product or service.

You will receive specific instructions for completing and submitting additional information as the process continues.