CVE Statements
We’re introducing CVE Statements, a new feature that helps you and your vendors provide context about vulnerabilities found in Bitsight’s Vulnerability Detection.
CVE Statements let you clarify your view of a CVE. Whether your organization is not affected, still reviewing, or has chosen to accept the risk. These statements appear alongside Bitsight’s independent findings and help reduce confusion in first- and third-party risk workflows.
CVE Statements are self-attested by each company, managed independently from Bitsight's evidence, do not influence ratings, and remain unchanged unless manually updated.
SPM users can:
- Mark CVEs as Not Vulnerable, Under Review, or Risk Accepted
- Choose to make statements internal (private) or external (visible in the CM app)
- Filter and save views to streamline triage and hide irrelevant data
CM users can:
- View vendor statements when shared
- Filter by vendor input (e.g., No Statement, Not Vulnerable)
- Reach out via Vendor Access to request missing context
|
Available in:
|
- October 16, 2025: Published.
Feedback
0 comments
Please sign in to leave a comment.