TEL AVIV AND BOSTON – January 21, 2022 – WhiteSource, a leader in open source security and management, today announced that it has been recognized at the Provider Acceptance Level for NIST’s National Vulnerability Database (NVD). The NVD is the largest and most comprehensive repository of reported known vulnerabilities, both in commercial and open source components.
The NVD’s Collaborative Vulnerability Metadata Acceptance Process (CVMAP) program recognizes the superior accuracy of information that WhiteSource has contributed relative to assessments of Common Vulnerability Scoring System v3.1 (CVSS v3.1) and Common Weakness Enumeration (CWE).
With 89 CVSS v3.1 participants, WhiteSource is one of only three to be recognized with the Provider Acceptance Level, alongside software giants Oracle and Microsoft.
WhiteSource is the only company in the world with Provider Acceptance Level for both CVSS v3.1 and CWE. “This recognition of WhiteSource’s security analysis expertise reaffirms the community’s trust in our knowledge and reasserts our leading position at the forefront of application security technology,” said Rami Sass, Co-Founder, and CEO of WhiteSource. “As the impact of the latest vulnerabilities found in the popular Java logging framework Log4j demonstrates, the work we do with the NVD to protect organizations from malicious activity becomes even more critical. WhiteSource is proud to be recognized as a leading data provider.”
The NVD’s CVMAP program has established a set of acceptance levels that CVE Numbering Authorities (CNAs) such as WhiteSource can achieve, based on the data they provide through the Common Vulnerabilities and Exposures list (CVE). CNAs are entities authorized by NIST to assign CVE IDs to vulnerabilities and publish CVE Records. Separate acceptance levels are assigned for each submission category, such as CVSS v3.1 and CWE. As CNAs provide submission category data and NVD analysts provide analysis results, the CNA data is compared against the NVD analyst data. As the CNA and NVD data align, the acceptance level of the CNA for that submission category increases.
Once an entity has been granted Provider Acceptance Level status, the data that they submit to the NVD is considered to be the same as data generated by NVD analysts and is immediately placed into the NVD data feeds. Providers are considered the leading contributors to the NVD. The CVMAP program maintains consistent practices across the information security community when providing standards and text-based information, alleviating the strain caused by the growing volume of CVE publications on NVD staff, and continuing to retain the quality of information for all consumers of CVE data.