Third-Party Data Attributions

Overview

The Koopic Service enriches customer-supplied vulnerability data with information drawn from several industry-standard, publicly available catalogs. Each source is governed by its own license. Koopic is committed to honoring those licenses and to giving upstream maintainers clear credit wherever their data is displayed inside the Service.

Koopic is not endorsed by or affiliated with MITRE, NIST, CISA, or FIRST. The data providers listed below are not responsible for Koopic's interpretation, presentation, or use of their data.

MITRE CVE List

Koopic ingests vulnerability identifiers and descriptive metadata from the CVE List published by The MITRE Corporation. CVE entries power Koopic's canonical vulnerability identity model.

Source: cve.mitre.org
Data feed: CVE List V5 (JSON 5.0)
Terms of use: The CVE List is free to use subject to MITRE's Terms of Use. Credit is required.

Attribution: This product uses data from the MITRE CVE list. CVE and the CVE logo are registered trademarks of The MITRE Corporation. Use of CVE identifiers and descriptions within Koopic does not imply endorsement by MITRE.

NIST National Vulnerability Database (NVD)

Koopic retrieves CVSS metrics, CWE mappings, CPE affected-product data, and supplemental analyst context from the U.S. National Vulnerability Database, operated by the National Institute of Standards and Technology (NIST).

Source: nvd.nist.gov
Data feed: NVD 2.0 API (modified and recent incremental feeds).
License: NVD data is produced by a U.S. federal agency and is in the public domain per the NIST General Disclaimer. No attribution is legally required, but Koopic credits NVD as a matter of good practice.

Attribution: This product uses data from the NIST National Vulnerability Database. NIST does not endorse Koopic or any commercial product.

CISA Known Exploited Vulnerabilities (KEV) Catalog

Koopic marks vulnerabilities as "known-exploited" using the CISA Known Exploited Vulnerabilities Catalog, which is maintained by the Cybersecurity and Infrastructure Security Agency.

Source: cisa.gov/known-exploited-vulnerabilities-catalog
Data feed: CISA KEV JSON feed.
License: CISA KEV data is produced by a U.S. federal agency and is in the public domain. No attribution is legally required, but Koopic credits CISA as a matter of good practice.

Attribution: This product uses data from the CISA Known Exploited Vulnerabilities Catalog. CISA does not endorse Koopic or any commercial product.

EPSS — Exploit Prediction Scoring System (FIRST.org)

Koopic displays the daily Exploit Prediction Scoring System (EPSS) probability and percentile for each CVE where available. EPSS is produced by the Forum of Incident Response and Security Teams (FIRST).

Source: first.org/epss
Data feed: EPSS daily CSV (full refresh).
License: Creative Commons Attribution 4.0 International (CC BY 4.0). Attribution is legally required.

Attribution: EPSS data by FIRST.org, licensed under CC BY 4.0. See https://www.first.org/epss/ for the canonical source. Koopic is not affiliated with FIRST.

Customer-Owned Vulnerability Data

Vulnerability findings pulled from third-party tools configured by your organization (for example, Microsoft Defender for Endpoint, on-premises vulnerability scanners, or asset-management agents) are Customer Data and are not redistributed by Koopic. Use of that data is governed by your agreements with those vendors and by Koopic's Data Processing Agreement.

Updates to This Page

We will update this page whenever we add, remove, or change an upstream vulnerability data source. The "Last Updated" timestamp at the top of the page reflects the most recent change.

Questions

For questions about Koopic's use of a particular data source, or to report a missing or incorrect attribution, please email [email protected].