CISA’s almost-not-renewed contract with MITRE to administer the CVE program this week created significant uncertainty and sparked passionate discussions about the future of vulnerability management.
Sevco is committed to ensuring vulnerability management programs have the structure they need to operate at scale, and we will always normalize and enrich all vulnerabilities with whatever standards emerge, regardless of the capabilities provided by your existing vulnerability assessment tools.
We will do whatever it takes to support our customers through whatever future emerges:
- Sevco aggregates your vulnerabilities via API from whatever vulnerability assessment tools you deploy. That value is independent of your VA tool choice.
- Our data pipeline will enrich those vulnerabilities with whatever data your program requires. Already today we enrich with CVE details, CVSS, CVSSv2, CVSSv3, EPSSv3, CISA KEV, vulnerability intelligence, threat intelligence and more. We will extend those enrichments as required. That enrichment is independent of whatever data your VA tool provides.
- We integrate vulnerability and threat intelligence in partnership with VulnCheck. VulnCheck is one of a small group of Certified Numbering Agencies with the authority to assign CVE IDs and publish CVE Records for other products.
- VulnCheck, along with other organizations, is preparing for any transition of the CVE program from MITRE or CISA involvement.
MITRE’s CVEs provide the foundational data layer to standardize and provide a consistent way to track, enrich, research, and manage vulnerability disclosures across the industry. As the program evolves to meet the demands of our time, Sevco will continue to deliver world class vulnerability enrichment, intelligence, and prioritization regardless of the future direction it goes, to ensure your vulnerability management program can continue to operate through any future CVE program transitions.