Symantec & CVE Compatibility
What is the CVE Initiative?
The Common Vulnerabilities and Exposures (CVE) Initiative is maintained by the MITRE Corporation and is a list of standardized names for vulnerabilities and other information security exposures. CVE aims to standardize the names for all publicly known vulnerabilities and security exposures.
See http://cve.mitre.org for more information.
What is Symantec's role with the CVE Initiative?
Symantec is committed to providing our customers with the most up-to-date and accurate information regarding new vulnerabilities and other security exposures.
By including CVE names when we discuss security issues in our services and products, Symantec can help users more quickly identify vulnerabilities and respond to them accordingly. Symantec is one of the founding members of the CVE Initiative. Symantec currently has two voting members on the CVE Editorial Board who work along with the other Editorial Board to verify and validate the candidate issues proposed to CVE. Additionally, Symantec's CTO holds the position of a CVE advocate. This role is reserved for respected leaders in the security community who help bring credibility to the CVE Initiative and give CVE a wider reach outside of the security community
Where does Symantec use CVE names?
We use CVE references in the following areas of our Symantec Security Response Web site:
- Vulnerability Database
- Security Advisories
- Virus Database
- Archives
- Security Products
Symantec is constantly reviewing and updating our online content to include new CVE additions.
Can I search for CVE references?
Users may search for a particular CVE name on the Symantec Security Response Web site. A search can be made for a specific CVE name (for example "CVE-2001-0852") or partial name (for example "CAN-2002") to list all 2002 CVE candidates.
Why does the CVE web site tell me a name you referenced is not found?
Most of the security issues addressed in our's and other vendor's advisories are not initially public knowledge and have not been assigned a CVE name. However, many of the security vendors and organizations work with MITRE to reserve CVE candidate names in advance for use with newly discovered security issues. There may be a short time delay however, for the issue to showup on the CVE web site once the issue is made public.
What is the difference between a CVE entry and a candidate?
CVE "candidates" are those vulnerabilities or exposures under consideration for acceptance into CVE. Candidates are assigned special numbers to distinguish them from CVE entries. Each candidate has three primary items associated with it:
- Number (also referred to as a name)
- Description
- References
- The number, also referred to as a name, is an encoding of the year that the candidate number was assigned and a unique number N for the Nth candidate assigned that year, e.g. CAN-1999-0067.
Established practices are followed when a candidate is created. If the Editorial Board accepts the candidate, an official CVE entry is created that includes the description and references. The candidate number is converted into a CVE name by replacing the "CAN" with "CVE." For example, when the Editorial Board accepted the candidate CAN-1999-0067, the candidate number was converted to CVE-1999-0067, and the resulting new entry was added to CVE. The assignment of a candidate number is not a guarantee that it will become an official CVE entry.
Who else uses CVE names?
There are a number of security product vendors, on-line security databases and security organizations that use CVE names. For more information on organizations and products that are "CVE compatible" or that have declared their intention to become "CVE-compatible" see the MITRE CVE-Compatible Products/Services, http://www.cve.mitre.org/compatible/.
Where can I go to find more information?
For additional information on the CVE Initiative, what it is, what it does and how it can benefit you, please visit the MITRE Corporation CVE web site, http://cve.mitre.org.
| 
