CVETrack Believes in Open Access to Public Vulnerability Records

CVETrack believes in open access to public vulnerability records and publicly available security information ("public record(s)" or "record(s)"). We organize and publish vulnerability data and make it universally accessible and useful to the public.

Public vulnerability records are records that are created and maintained by government agencies, security organizations, and vendors, and are open to public inspection. Examples of public vulnerability records include:

• CVE (Common Vulnerabilities and Exposures) records from MITRE
• NVD (National Vulnerability Database) entries from NIST
• Security advisories from software vendors
• Vulnerability reports from security researchers
• CVSS (Common Vulnerability Scoring System) assessments
• EPSS (Exploit Prediction Scoring System) data
• KEV (Known Exploited Vulnerabilities) catalog entries

We follow well-articulated federal and international policies that promote open access to vulnerability information. Public vulnerability records by law and industry practice are open to inspection, examination, and analysis by the public. There are no "private facts" in public vulnerability records unless they have been classified or restricted by appropriate authorities.

Access to Public Vulnerability Records Serves Vital Security Interests

Access to public vulnerability records is a necessary element of effective cybersecurity. In particular, there is a well-established principle in the security community that recognizes the positive role played by allowing public access to vulnerability information.

Public access to vulnerability records permits security professionals to:

• Monitor and assess security risks in their systems
• Participate in coordinated vulnerability disclosure processes
• Make informed decisions about security patches and mitigations
• Conduct security research and analysis
• Develop effective security strategies and policies

The cybersecurity community, government agencies, and industry organizations have all endorsed the concept of open access to vulnerability information. It has been found that such access promotes better security practices by providing a means by which organizations can assess and mitigate security risks.

What Vulnerability Records Does CVETrack Collect, Use, and Publish?

CVETrack collects, uses, and publishes public vulnerability records and publicly available security information from governmental and non-governmental sources. We do not distribute classified or restricted vulnerability information to the public.

Examples of public vulnerability records from governmental sources include:

• CVE records from MITRE Corporation
• NVD entries from NIST
• Security advisories from CISA
• Vulnerability databases from national CERTs
• Security bulletins from government agencies

Examples of publicly available security information from non-governmental sources include:

• Vendor security advisories
• Security researcher publications
• Open source vulnerability databases
• Security community forums and mailing lists
• Public security research papers

Are the Vulnerability Records Provided by CVETrack Accurate?

CVETrack takes reasonable steps to accurately reproduce the public vulnerability records and publicly available security information we collect. However, sometimes these records may contain errors or be incomplete, inaccurate, or may not be the most currently available information.

These records are provided "AS IS" and are provided subject to our General Disclaimer and Terms of Service. Users should verify critical vulnerability information through official sources before making security decisions.

Vulnerability Records Should Be Used in a Responsible Manner

CVETrack uses all public vulnerability records and publicly available security information in a responsible manner. All records in our vulnerability databases are either obtained from official government sources or reputable security organizations. We do not distribute classified or restricted vulnerability information to the public.

All public vulnerability records and publicly available security information provided by CVETrack should be used in a responsible manner and in accordance with this Public Records Policy, our Terms of Service, and applicable laws and regulations.

Are Vulnerability Records Covered by Privacy Laws?

Public vulnerability records are typically exempt from state and federal privacy laws such as the California Consumer Privacy Act ("CCPA"). The CCPA clearly states that "personal information" does not include publicly available information, and that "publicly available" means information that is "lawfully made available from federal, state, or local government records."

Please note that public vulnerability records such as CVE entries published by MITRE, NVD entries published by NIST, and any information contained in them, like vulnerability descriptions, CVSS scores, and affected software versions, are not personal information for the purposes of privacy laws.

What Factors Are Considered by CVETrack for Redacting a Vulnerability Record?

Factors we typically consider when evaluating a Vulnerability Record Redaction Request include, but are not limited to, the following:

• Has the record been classified or restricted by appropriate authorities?
• Does the record contain information that could be used to exploit systems?
• Is the record based on incomplete or inaccurate information?
• Does the record concern vulnerabilities that have been proven to be false positives?
• Has the vulnerability been fully patched and is no longer relevant?

Since the above factors are not exclusive, please feel free to submit a request for review even if it does not fall within one of the above factors. In order to help us evaluate the merits of your request, we may require you to provide supporting documentation, such as official security advisories and vendor confirmations.

How Do I Submit a Vulnerability Record Redaction Request?

To submit a Vulnerability Record Redaction Request, please contact us at support@truebyteinnovation.com. A Vulnerability Record Redaction Request, if approved, will redact or remove a vulnerability record published by CVETrack that may appear in internet search engines.

CVETrack only considers Vulnerability Record Redaction Requests that provide all of the required information and supporting documentation, which provide compelling evidence as to why a vulnerability record should be redacted. Further, we only consider requests submitted by:

• Official representatives of affected software vendors
• Security researchers who originally reported the vulnerability
• Authorized representatives of affected organizations
• Legal representatives of the above parties

CVETrack does not charge for submitting, processing, or appealing a Vulnerability Record Redaction Request.

How Long Does It Take to Process a Vulnerability Record Redaction Request?

Once CVETrack receives a completed Vulnerability Record Redaction Request, we will initiate our internal review process. We typically decide on a request within 30 days, and will communicate our decision to you in writing.

If your request is approved, the exact timing of the redaction or removal of a vulnerability record from internet search engines is unknown. We do not control the internet search engines, their practices, or the timing of web page de-indexing. Based on past experience, URLs are generally de-indexed by internet search engines within about 30 days.

What If a Vulnerability Record Redaction Request Is Not Approved?

If CVETrack has not approved your Vulnerability Record Redaction Request, and you have additional supporting information and/or documentation regarding this request that you would like us to consider, you may submit an appeal within 30 days of notice of CVETrack's decision.

CVETrack does not grant all Vulnerability Record Redaction Requests. The casual redaction or removal of public vulnerability records limits public access to important security information and diminishes the integrity of our products and services. This is particularly true of records that have a strong public interest or where multiple organizations are affected.

Ultimately, the records we publish are public vulnerability records and are therefore open to inspection by the public. There are no "private facts" in public vulnerability records unless they have been classified or restricted by appropriate authorities.

How Do I Contact CVETrack?

To submit a Vulnerability Record Redaction Request or for questions regarding this policy, please contact us at:

Email: support@truebyteinnovation.com

What if CVETrack Changes Its Public Records Policy?

CVETrack may change its Public Records Policy and/or Vulnerability Record Redaction Request process from time to time with or without notice. Changes will be posted on this page with the updated date.