The vendor taxonomy is both a scope and dependency taxonomy based upon an organizational hierarchy and an encoding methodology that has to "jibe" with the Common Platform Enumerator (CPE) naming methodology maintained by MITRE (or at least as close as possible). Because vendor encoded names (the names have to be encoded so that special characters like "*" and others can be put into URIs) are a part of the CPE methodology as well as our own CAE methodology, we have to ensure that the vendor name

• represents a vendor and not something else (like a person, product, or name that is unverifiable);

• can be deprecated if the vendor either goes out of business, is acquired, or merges with another vendor; and

• follows the correct encoding syntax and rules (such as matching a string within the organization's URI).

As an example, the vendor Extreme Networks is represented by the CPE and CAE vendor names as "extremenetworks" because the name follows all points mentioned above. However, the CPE name "citadel," while it used to represent a vendor, has since been acquired by McAfee and therefore should be deprecated in favor of "mcafee" because Citadel is now a part of the larger organization. In our taxonomy, each vendor is given a seven digit Vendor ID, and is also assigned a Vendor Genealogy to represent the taxonomy as shown below:

Name ID Genealogy CAE Encoded Name

McAfee 0000001 mcafee

Citadel 0000092 0000001 mcafee

Extreme Networks 0000068 extremenetworks

In a nutshell, our vendor naming rules are as follows:

Rule 1: If there is a CPE match to a valid vendor domain, leave it alone

If the CPE name can be found as a string within the vendor's domain name, leave the name as stands.

Example

Alcatel is a vendor's name "alcatel" is the CPE name, and "http://alcatel-lucent.com" is the domain name. Because "alcatel" can be found as a string within the domain name, the name can stand as is.

Rule 2: If the CPE name is a product, change the name to that of the vendor

If the CPE name is actually a product within an organization, move the entry under the organization's genealogy and deprecate the name invoking this taxonomic rule.

Example

The CPE name "suse" actually refers to a product called SUSE Linux Enterprise published by the vendor Novell. To add to the problem, the string "suse" cannot be found within the product's domain "http://novell.com/linux/." Therefore, our team moved the product under the organization Novell and suggests the CAE encoded name should follow that of the parent organization.

Name Status CAE Encoded Name

Novell live novell

suse deprecated novell

Rule 3: If the CPE name refers to a .org, change the name to that of the vendor

If the CPE name refers to an online "org" (such as rsbac.org) and not a corporation or other formal entity, set the vendor name to that organization (rsbac.org). The example speaks for itself.

Rule 4: If the CPE name belongs to a defunct-through-acquisition organization, change the name to the acquiring vendor

If the organization has been acquired and the former organization is now either a product name, a group name, or no longer exists, move the entry under the organization's genealogy and deprecate the name invoking this taxonomic rule.

Example

BusinessObjects used to be an organization. It used to have the domain businessobjects.com. It has since been acquired by SAP. The old domain businessobjects.com now resolves to SAP.com. Therefore our team moved BusinessObjects under SAP and deprecated the name in favor of the consuming organization's name.

Name Status CAE Encoded Name

SAP live sap

businessobjects deprecated sap

Rule 5: If the CPE name cannot be validated online, flag the record

There are a certain amount of CPE names that just don't make sense. We believe that a couple of them belonged to individuals (one is called "Dave Arlie"), or possibly even defunct companies (such as "jjwebdesign"). If the CPE name cannot be verified, mark it as such and move it under the Unvalidated Names category.

Example

Name Status CAE Encoded Name

Unvalidated Names deprecated

dave_airlie deprecated

jjwwebdesign deprecated

Each quarter we'll continue to look for these names until they've been completely deprecated from the CPE list.