CVE Compatibility Process

The CVE Compatibility Process is a formal review and evaluation process for organizations wishing to declare their information security products and services as CVE-compatible and have them formally evaluated.

Compatible products and services are listed on the CVE-Compatible Products and Services page and are viewable alphabetically by category type, by product name, by organization name, and by country. This information is also included on handouts at information security and related tradeshows and events at which MITRE exhibits CVE (see the CVE Calendar of Events).

Table of Contents

1. Introduction
2. Phase 1 – "Declaration" of CVE Compatibility
3. Phase 2 – CVE Compatibility Requirements "Evaluation"
4. Summary of the Process
5. Contact and Submission Instructions

Introduction

The CVE Compatibility Process involves two phases. The first, called the Declaration Phase, consists of registering an organization's declaration of intent to make their product(s) and/or service(s) CVE-compatible. An organization must complete phase 1 before starting phase 2. The second phase, called the Evaluation Phase, requires the completion of a questionnaire that specifically looks for the details of how the organization has satisfied the "Requirements and Recommendations for CVE Compatibility." Organizations that successfully complete the second phase will be included in a branding program that offers an official CVE-Compatible Product/Service logo to indicate compatibility. The logo is authorized for use on Web sites, publicity and marketing materials, trade show and other signage, product packaging, etc.

Phase 1 – "Declaration" of CVE Compatibility

The Declaration Phase consists of an organization reviewing the compatibility requirements and then making a declaration stating that their product or service fulfills, or will fulfill, the CVE compatibility requirements.

Once the declaration is reviewed, the following information will be listed on the compatible products/services page (provided the products or services are commercially available when we post the declaration):

1. Organization name
2. Web site address
3. Quote: a brief sentence or two of how and why the organization is participating in the CVE Initiative
4. Product/Service name with URL link to organization's product page
5. Product/Service Type: category of information security product or service
6. CVE Readiness: CVE searchable, CVE output, and CVE documentation is available or not yet available
7. Compatibility Questionnaire: posted for review when available

Only organizations that complete the declaration phase will receive the "CVE Compatibility Requirements Evaluation Form," starting phase 2. These organizations will also receive a "Compatible Product/Service Organization Welcome Kit" with items for their Web site including:

• a CVE link button that can be used on their website to link to the CVE main site
• CVE/compatibility FAQ question and answer
• CVE/compatibility glossary term and definition
• and a brief HTML description of CVE.

Any or all of these may be used on the organization's Web site.

The first phase of the compatibility process is initiated by requesting the "CVE Compatibility Declaration Form" in an email request to cve@mitre.org. This form, which can be filled out fairly quickly, should be emailed back to cve@mitre.org.

Phase 2 – CVE Compatibility Requirements "Evaluation"

The second phase of the compatibility process involves a formal review and evaluation process. In this phase, organizations have completed the declaration phase, and must now complete the "CVE Compatibility Requirements Evaluation Form." This phase 2 questionnaire form requires that the organization state specific and verifiable details about how it has satisfied the compatibility requirements. MITRE will then review the form, and verify the organization's mapping accuracy as stated in the "Requirements and Recommendations for CVE Compatibility" document (see Section 3. Accuracy).

Once the form is received by MITRE, the review period will begin. The submitting organization will be contacted by MITRE, and the details necessary for the mapping accuracy review will be worked out. Upon successful completion of the evaluation of the submitted questionnaire, the organization will be contacted and informed of MITRE's concurrence with their questionnaire responses. The submitting organization's information will then be updated on the compatible products/service page to include the phase 2 questionnaire material.

For organizations completing this phase of the process, the following information will be listed on the CVE-Compatible Products/Services page:

• Updated versions of the information contained in the organization's declaration.
• The responses from the CVE Compatibility Requirements Evaluation Form questionnaire.

At a later time MITRE will complete its mapping accuracy review and the submitting organization will be notified of their completion of the evaluation phase. At this point they will receive an official CVE-Compatible Product/Service logo to indicate compatibility. Logo use recommendations and restrictions will be supplied at that time.

While this second phase takes more effort than the first for both the submitting organization and MITRE, it has been designed to minimize the expense to both. The approach avoids an evaluation process that would make it too expensive for freeware or smaller software vendors to obtain compatibility. By using the questionnaire and statement of compatibility the level of effort is kept reasonable, while making a good effort to verify that the submitting organization properly understands and correctly implements the CVE compatibility requirements. The publication of the organization's statement on the CVE Web site allows end users and prospective customers to compare how different products satisfy the requirements and then the market can then decide which specific implementations are best.

To initiate participation at this level of the process you must first complete the declaration phase. Feel free to direct your customers to your listing on the CVE Web site.

Summary of the Process

Phase 1 – The Declaration Phase:

1. Review the "Requirements and Recommendations for CVE Compatibility" document.
2. Review the existing declarations listed on the CVE-Compatible Products/Services page.
3. Send an email to cve@mitre.org requesting the "CVE Compatibility Declaration Form."
4. Email the completed form to cve@mitre.org.
5. MITRE sends the declaration form and the "Compatible Product Service Organization Welcome Kit."
6. If CVE Output, CVE Searchability, and CVE Documentation responses are all "yes," proceed to phase 2. If not, wait and then notify MITRE when these are completed.

Phase 2 – The Evaluation Phase:

7. Upon completion of phase 1, MITRE sends the "CVE Compatibility Requirements Evaluation Form" questionnaire, along with a sample of a completed form.
8. Print out, sign, and mail the completed form to the address supplied on the form, along with copies of any supporting documentation.
9. Email an electronic copy of the completed form and any supporting documentation to cve@mitre.org.
10. The completed questionnaire will be posted and made available on the CVE website.
11. Upon notification from MITRE, work with MITRE to ensure mapping accuracy between CVE names and your organization's underlying data repository.
12. The organization is listed as CVE-compatible on the CVE Web site; the organization also receives authorization to use the CVE-Compatible Product/Service logo for the specified product(s) or service(s).
    

Contact and Submission Instructions

To begin the registration process, review the official CVE Compatibility Process detailed above then send an email to cve@mitre.org requesting the Declaration Form along with your company name and contact information, the type of product, and the name of the product or service.

You will receive specific instructions for completing and submitting additional information as the process continues.