Our CVE Story: Using the CVE Program to Provide Reliable Vulnerability Information

Guest author Milind Kulkarni is a member of the CVE Outreach and Communications Working Group and NVIDIA is a CVE Numbering Authority (CNA).

Customers and developers often rely on vulnerability descriptions to determine the security risks to their systems. If the information associated with a vulnerability is incomplete or vague, consumers of this information may miscalculate their risk assessments. This can make it difficult to determine the urgency of applying remediations, which may result in systems remaining vulnerable to cyber threats. By becoming a CNA and assigning a CVE ID when disclosing a security vulnerability, you can publish structured and reliable vulnerability information. This provides your customers the benefit of the accurate information they need to prioritize remediation activities necessary to secure their systems.

NVIDIA became a CNA in 2016. After becoming a CNA, we started using the CVE Program to gain significant benefits. Our status as a CNA gives us the authority to assign CVE IDs to vulnerabilities reported in our products and to provide tailored descriptions that get published in the public CVE List, and allows us to own the messaging for our security vulnerabilities.

After a security update is released, we publish a comprehensive security bulletin that serves as an authoritative reference for the CVE Record. In the security bulletin, we provide a brief description about the CVE, severity and vector, security impact, affected versions, instructions on how to apply the remediation, and acknowledgement to the finders for responsible disclosure (if applicable). NVIDIA utilizes industry standards like Common Weakness Enumeration (CWE™) for creating the vulnerability description and Common Vulnerability Scoring System (CVSS) for scoring severity and vector for the CVE Record.

Incorporating the CVE Program may initially appear to be a burden on your security operations because you might think that this will need complete change of process and consume a lot of time, but, in my experience, the CVE Program is flexible enough to easily accommodate your existing processes which, once integrated, become a routine set of activities. The steps for assigning CVE IDs and publishing CVE Records can be completed either manually, or by using automation if you have the resources. The CVE Program can be well adopted by organizations, irrespective of their size, that have a growing product portfolio and consumers. The CVE Program gives a sense that there is a security lifecycle for your products and that you give attention to security issues. Following these simple and straightforward CVE Record Requirements outlined in the CVE Program have helped NVIDIA to integrate the CVE steps in our processes for disclosing vulnerabilities and messaging for the CVE Record.

The CVE Program has greatly helped us streamline our communications and provide reliable vulnerability information to our customers, empowering them to make informed decisions about the security of their systems. If your organization is interested in gaining the benefits from the CVE Program, check out the CVE Program’s guide on How to Become a CNA. You will certainly be in a better position by adopting the CVE Program in your vulnerability disclosure practices, which will benefit not only your company, but also your customers and ecosystem, in making your products and systems more secure than before.