Skip to main content
Security Performance Management
Continuous Monitoring
Vendor Risk Management
Trust Management Hub
Cyber Insurance
National Cybersecurity

CVE Statement

Chelsea Deaner

CVE Statements

CVE Statements allow you and your vendors to provide your own view of a CVE, whether you're affected, still reviewing, or have chosen to accept the risk. These statements don’t override Bitsight’s independent evidence, but they give valuable context to your internal teams and any third parties monitoring you.

Whether you're managing your own security posture or evaluating your vendors, CVE Statements help you track what matters, reduce noise, and improve communication.

Note: CVE Statements are self-attested by each company, managed independently from Bitsight's evidence, do not influence ratings, and remain unchanged unless manually updated.

 

Why Use CVE Statements?

For managing your own vulnerabilities (SPM):

  • Add internal context to detected CVEs.
  • Reduce noise and focus on CVEs that require attention.
  • Share your position with third-party monitors (if desired).

For monitoring vendors (CM):

  • Understand how vendors interpret or respond to CVEs affecting them.
  • Quickly identify if a vendor has not addressed or reviewed a CVE.
  • Focus due diligence and follow-up efforts more effectively through Vendor Access.

 

Managing CVEs in Your Own Organization (SPM)

As an SPM user, you can add Statements to any CVE to reflect your internal understanding, for example, if you've already mitigated the risk or accepted it. 

Go to the Vulnerability Detection page. Use the 'Statement' column to view the current status. Select the CVE, then click the ‘Set Statement’ button at the top to update.

Statement Options

You can choose from the following:

  • No Statement - No action has been taken yet
  • Unreviewed - You’ve acknowledged the CVE but haven’t reviewed it yet
  • Not Vulnerable - You’ve determined the CVE doesn’t affect your environment
  • Under Review - Your team is currently analyzing the CVE
  • Risk Accepted - You’ve decided to accept the risk

     
Tip: Save your filters to hide CVEs that don’t need attention.

Statement Visibility

When adding a Statement, you can choose whether it should be:

  • Internal - Only visible to your organization (in the SPM App only)
  • External - Shared with third parties monitoring you in the CM App.

Note: CVE Statements are restricted to each company/subsidiary independently. So, be aware that the CM clients may be monitoring your top-level parent company, your primary rating, or any of your subsidiaries.

Tip: If you have the same CVE in different companies within your ratings tree and want to ensure that the CV clients monitoring you see the CVE Statement, regardless of the company they are monitoring, please ensure the CVE statement exists on all companies in your ratings tree. 

You can see if a company in your ratings tree is being monitored by third parties on the Company Details page > Company Info tile (top right corner of the dashboard) > Monitored by X companies

Where You’ll Use Statements

Vulnerability Detection Page: Filter by statement or visibility; update CVEs in bulk; and save custom filter sets to hide irrelevant vulnerabilities.

Audit Logs: Every update is tracked, including who made the change and when.

Tip: Hover over a CVE row in the table and click the icon on the far right to view the audit of the CVE statements.

 

Reviewing Vendor CVEs (TPRM / CM)

As a CM user, you can see CVE Statements from vendors, but only when they choose to make them public (external). These Statements help you assess how your vendors are addressing potential vulnerabilities.

For example, see which vendors have reviewed a CVE, or still haven’t.

Vendor Statement Types

Here’s what vendors can choose to share with you:

  • No Statement - The vendor hasn’t added anything
  • Unreviewed - The vendor states the CVE is pending internal review
  • Not Vulnerable - The vendor claims they are not affected
  • Under Review - The vendor is still assessing their exposure
  • Risk Accepted - The vendor is aware of the risk and is not planning remediation

     

Where You’ll See Vendor Statements

On Vulnerabilities Detection, enter the CVE page and see the Vendor Statement columns or use the Vendor Statement filter to customize your view.

In the CM app, use the ‘Vendor Statement’ filter to narrow results to vendors who have (or haven’t) shared their status.

 

Need a Vendor to Share a Statement?

If a vendor hasn’t added a Statement yet, you can reach out via Vendor Access and ask them to update their CVE Statements in their Vulnerability Detection page.

Tip: Reach out via Vendor Access and ask the vendor to add a Statement on the CVE in their Vulnerability Detection page.

 

Best Practices

If you're managing your own org (SPM) If you're monitoring vendors (CM)
Add statements regularly for visibility and clarity Use filters to focus on meaningful vendor input
Mark irrelevant CVEs as Not Vulnerable or Risk Accepted Reach out to vendors with missing or unclear statements
Save filters to streamline daily triage Combine vendor statements with Bitsight evidence for deeper insight
Make statements public when transparency is beneficial Prioritize vendors with no or outdated input
  • October 16, 2025: Published.
Was this article helpful?
1 out of 1 found this helpful
Return to top

Related articles

Feedback

0 comments

Please sign in to leave a comment.