Reviewing Vendor CVEs (TPRM / CM) Erin Conry As a Continuous Monitoring user, you can see CVE Statements from vendors, but only when they choose to make them public (external). These Statements help you assess how your vendors are addressing potential vulnerabilities.For example, see which vendors have reviewed a CVE, or still haven’t.Vendor Statement TypesHere’s what vendors can choose to share with you: No Statement - The vendor hasn’t added anything Unreviewed - The vendor states the CVE is pending internal review Not Vulnerable - The vendor claims they are not affected Under Review - The vendor is still assessing their exposure Risk Accepted - The vendor is aware of the risk and is not planning remediation Where You’ll See Vendor StatementsOn Vulnerabilities Detection, enter the CVE page and see the Vendor Statement columns or use the Vendor Statement filter to customize your view.In the CM app, use the ‘Vendor Statement’ filter to narrow results to vendors who have (or haven’t) shared their status.Need a Vendor to Share a Statement?If a vendor hasn’t added a Statement yet, you can reach out via Vendor Access and ask them to update their CVE Statements in their Vulnerability Detection page.Tip: Reach out via Vendor Access and ask the vendor to add a Statement on the CVE in their Vulnerability Detection page.Best Practices Use filters to focus on meaningful vendor input Reach out to vendors with missing or unclear statements Combine vendor statements with Bitsight evidence for deeper insight Prioritize vendors with no or outdated input Related articles Managing CVEs in Your Own Organization (SPM) Feedback 0 comments Please sign in to leave a comment.