Guest author GS McNamara is Principal Application Security Engineer and co-founder of the Global Product Security Incident Response Team (PSIRT) at Forcepoint, and Forcepoint is a CVE Numbering Authority (CNA).

Forcepoint has partnered with the CVE Program since 2017 as a CNA and has received many benefits from that relationship that continue to have a direct impact on our products. If you are thinking about becoming a CNA, consider the following:

CVE benefits organizations by creating common ground to enable a conversation about managing vulnerabilities whether internally, with peers, or with vendors. Defensive security products can be explicit about the vulnerabilities they protect, which gives the consumer a clear idea of their organization’s residual exposure. …

Guest author Chandan Nandakumaraiah of Palo Alto Networks is Co-chair of the CVE Quality Working Group, and Palo Alto Networks is a CVE Numbering Authority (CNA).

Most organizations that publish security alerts to warn their consumers need unique identifiers to use as a reference. The identifier may be used during meetings, included in emails, discussed over the telephone, cited in chat rooms, displayed in slide presentations, sent in text messages, or tweeted to help identify an individual security alert. They also help people distinguish between issues and ensure people are on the same page when discussing a security problem. …

The Common Vulnerabilities and Exposures (CVE) Program’s quarterly calendar year (CY) summary of program milestones and metrics for CY Q3–2020 is below.

11 CVE Numbering Authorities (CNAs) Added
Eleven new CNAs were added: Crafter CMS (USA), Electronic Arts (USA), F-Secure (Finland), Gallagher Group (New Zealand), Mattermost (USA), Nozomi Networks (USA), Replicated (USA), Synaptics (USA), (USA), VDOO Connected Trust Ltd. (Israel), and Zabbix (Latvia).

CISA ICS Added as Top-Level Root CNA for Industrial Control Systems (ICS) and Medical Devices
On September 15, the CVE Program issued a press release announcing that it had expanded its partnership with Cybersecurity and Infrastructure Security Agency (CISA) and that CISA ICS would now be Top-Level Root CNA (TLR-CNA) responsible for CVE ID assignment by ICS and medical device vendors participating as CNAs, of which there are currently seven: Alias Robotics, ABB, Bosch, CERT@VDE, Gallagher Group, Johnson Controls, and Siemens. …

Guest author Lisa Olson of Microsoft is a CVE Board Member and Microsoft is a CNA.

Let me tell you something that seems rather strange: Microsoft has been a CVE Numbering Authority (CNA) since before written records on such things. How is that possible? Actually, early participants weren’t labeled CNAs until February 1, 2005.

Image for post
Image for post
Microsoft CVEs Published 1999–2020

Well, here is a link to our first CVE: CVE-1999–0007. This was documented in our second security bulletin issued June 26, 1998. I wasn’t around the Microsoft Security Response Center (MSRC) then, but it must have been an interesting feat to issue a 1999 CVE six months before 1999 began. Needless to say, Microsoft has been an active participant in the CVE Program for a long time, and we’ve issued a lot of CVEs. As you can see by the chart, the numbers keep growing significantly every year. This crazy year of 2020 we are almost over 100 CVEs per month on average. We think this might have something to do with the fact that researchers might have more time on their hands due to the pandemic, but it also has to do with Microsoft’s bounty programs. …

This article is based upon a news release by the CVE Program and Cybersecurity and Infrastructure Security Agency.

The Common Vulnerabilities and Exposures (CVE®) Program announced it is expanding its partnership with Cybersecurity and Infrastructure Security Agency(CISA) for managing the assignment of CVE Identifiers (IDs) for the CVE Program.

CISA is now designated a Top-Level Root CVE Numbering Authority for industrial control systems (ICS) and medical device vendors participating as CVE Numbering Authorities (CNAs). CNAs are organizations authorized to assign CVE IDs for vulnerabilities affecting products within a distinct scope. …

Guest author Tod Beardsley of Rapid7 is a CVE Board Member as the CNA Coordination Working Group Liaison, and Rapid7 is a CNA.

Back in 2016, something new and exciting was afoot in the CVE Program and at Rapid7. After a particularly troubled period for the program, the CVE Program was looking for partners in its newest mandate to federate the CVE Program and share the load across new kinds of CVE Numbering Authorities (CNAs). Over its decades-spanning history, things in Coordinated Vulnerability land were getting, well, kind of out of hand. …

The mission of the CVE Program is to identify, define, and catalog publicly disclosed vulnerabilities, regardless of the status of the software in question. Issuing CVE IDs for software that has reached EOL supports this mission.

As part of issuing a CVE ID, many vendors perform due diligence to validate and remediate disclosed vulnerabilities for supported products. By definition, EOL products are typically no longer supported by vendors. Vendors are under no obligation to validate vulnerability reports in EOL software, which is cost prohibitive in that expertise may not be available, it may disrupt release schedules for supported products, or other legitimate business justifications. …

Guest author Shannon Sabens of Zero Day Initiative (ZDI)/Trend Micro, Inc. is a CVE Board Member, and both ZDI and Trend Micro are CNAs.

At ZDI, we have benefitted greatly from working with the CVE Program and becoming a CVE Numbering Authority (CNA). While we aren’t one of the oldest CNAs, we do have a relationship with the CVE Program going back many years. Our history with the program is surely different from that of many vendor CNAs, but I think we have largely shared in the same mutual benefits.

ZDI, as a security research organization and a bug bounty, was formed 15 years ago. We are one of the oldest bug bounties. As a research organization, we used to approach the CVE Program independently and individually for the CVEs we needed assigned to track vulnerabilities that we had vetted and acquired. Once upon a time, we would write to a CVE Coordination email address to provide all the relevant information and to get a CVE. Later, to do this, just like many independent researchers today, we would write to the CVE Coordinators at Request a CVE ID. We would provide the vulnerability type, the vendor or developer name, the affected product name and the version information. …


CVE Program

Common Vulnerabilities and Exposures (CVE®) is an international, community-based open data registry of cybersecurity vulnerabilities

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store