VulnCheck Adds Common Platform Enumeration (CPE) Data to its NVD++ Service to Improve Vulnerability Prioritization

VulnCheck

VulnCheck, the exploit intelligence company, announced it is enhancing its Community Tier service, NVD++, with Common Platform Enumeration (CPE) data currently missing from the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD). By enriching NVD++ with CPE data, VulnCheck is helping solve an industry-wide issue, enabling defenders to identify vulnerable assets for newly published Common Vulnerabilities and Exposures (CVEs) in the NVD.

CPE data plays a crucial role in vulnerability management by providing a standardized method for identifying and documenting software applications, operating systems, and hardware components. VulnCheck’s initial release of CPE enrichment in NVD++ will close the gap by close to half of the current CVEs missing critical CPE data, starting with the majority of the highest prevalence vendors and products where vulnerability management teams lack the data to measure local exposure.

The source data VulnCheck used to produce “known vulnerable configurations” containing CPEs in NVD++ is the same used by NIST. VulnCheck’s research team is investigating additional sources and prioritizing accuracy over quick coverage to expand CPE correlation in the coming weeks.

Also Read: Matillion delivers pushdown AI platform to unlock the next wave of AI innovation

“Mapping software components to existing and new vulnerabilities is paramount for every cybersecurity company, product, and practitioner,” said Dmitry Raidman, CTO at Cybeats. “Many platforms and workflows globally rely on the existence of Common Platform Enumeration (CPE) records for every published vulnerability to determine which software and software versions are affected. It is great to see VulnCheck supporting the broader cybersecurity community by addressing the information gap, which helps continue vulnerability mapping for the industry.”

Adding the missing CPE data to NVD++ enables teams to correlate OS / software packages, applications, devices and other assets with vulnerabilities to measure their exposure and prioritize response. The enhanced Community tier service provides practitioners with a stable alternative to the NVD that operates at the speed of business.

“The NIST NVD is a best-effort tool from the government and a foundation for vulnerability management,” said Anthony Bettini, founder and CEO at VulnCheck. “However, given ongoing reliability issues, we’re taking another step toward solving important challenges for our Community tier members. With CPE data, VulnCheck NVD++ now offers the missing link between vulnerabilities and impacted systems.”

VulnCheck first unveiled NVD++ on March 13, 2024. The Community tier service provides members with a reliable, high-performance source of NVD 2.0 and 1.0 CVE data via API or downloadable JSON files.

SOURCE: BusinessWire