CVE Announce - June 4, 2018 (opt-in newsletter from the CVE website)

CVE Announce e-newsletter — June 4, 2018

Welcome to the latest issue of the CVE Announce e-newsletter. This newsletter is intended to keep you up-to-date on recent news about CVE, such as advancements in the program, new CNAs, CVE in the news, and more. Common Vulnerabilities and Exposures (CVE®) is the standard for cybersecurity vulnerability identifiers. The CVE Board provides oversight and input into CVE’s strategic direction, ensuring CVE meets the vulnerability identification needs of the global technology community. CVE Numbering Authorities (CNAs) consist of vendors, open source projects, vulnerability researchers, industry and national CERTs, and bug bounty programs authorized to assign CVE Identifiers (CVE IDs) to newly discovered issues and include the CVE IDs in the first public disclosure of the vulnerabilities.

Contents:
1. Preparing CVE for the Future Is Main Topic of Article on The Daily Swig
2. New CVE Board Charter Is Approved
3. CVE in the News
4. Keeping Up with CVE

Preparing CVE for the Future Is Main Topic of Article on The Daily Swig

CVE is the main topic of a May 16, 2017 article entitled “CVE board looks ahead to the next 20 years of vulnerability identification,” on The Daily Swig. In the article, CVE Board members Kent Landfield of McAfee and Chris Levendis of MITRE “take stock of the program’s journey [during its first 20 years] to becoming the world’s de facto vulnerability identification standard” and discuss how CVE is being effectively positioned for the next 20 years.

The author states: “If ever proof were needed that the security industry is evolving at a rapid pace, the CVE program recently announced that the CVE List had surpassed 100,000 entries – a dubious milestone that demonstrates the program’s diligence, while hammering home the sheer scale of the threat landscape in 2018.”

The author then discusses how CVE growing the number of participants in its CVE Numbering Authority (CNA) program helped the CVE List surpass the 100,000+ entries by having more and more CNAs assigning CVE Entries to vulnerabilities, and how CVE will continue to benefit from this federated approach in the future. The author quotes Chris Levendis about this, who states: “[CVE now has] 87 CNAs in the program, who are all involved in the assignment process and help chart the path forward. The CNAs are going to be the primary means by which we scale the CVE program … As far as onboarding [new] CNAs is concerned, the program will strategically look to target certain organizations to fulfil different kinds of roles. We have open and transparent rules for the requirements to become a CNA.”

The author also quotes Kent Landfield regarding the future of CVE, the role of automation, and the CNA program, who states: “During the next year or so, we’re going to be putting in place lots of different pieces and parts to ensure that federated environment [fully] occurs, and that we have set ourselves up for the next 20 years. We have built working groups into the program that allow the board members, the CNAs, and the public to participate in trying to develop some of that automation.”

“CVE is really a fundamental piece of our security defense mechanisms … I would like to stress the sheer number of external participants who take part in this program. CVE is vital to the security industry, and vital to our ability to defend ourselves.”

Read on CVE website or share:
https://cve.mitre.org/news/archives/2018/news.html#May232018_Preparing_CVE_for_the_Future_Is_Main_Topic_of_Article_on_The_Daily_Swig


New CVE Board Charter Is Approved

We are pleased to announce that the CVE Board has approved the latest version of the “CVE Board Charter,” version 2.6, which includes several important updates to board structure; membership descriptions, including the addition of a CNA liaison board member; and voting policies and procedures.

This update was the result of many hours of hard work by the Board, and the resulting document better positions CVE for success as it continues to expand.

Read on CVE website or share:
https://cve.mitre.org/news/archives/2018/news.html#May232018_New_CVE_Board_Charter_Is_Approved


CVE in the News

How to Deal with Open Source Vulnerabilities
https://www.infoq.com/articles/vulnerability-open-source

Git security vulnerability could lead to an attack of the (repo) clones
https://www.theregister.co.uk/2018/05/30/git_vulnerability_could_lead_to_an_attack_of_the_repo_clones/

Using a D-Link router? Watch out for hardcoded backdoors that give hackers admin access
https://www.techrepublic.com/article/using-a-d-link-router-watch-out-for-hardcoded-backdoors-that-give-hackers-admin-access/

Microsoft’s Patch Tuesday Fixes Two CVEs Under Active Attack
https://www.darkreading.com/endpoint/microsofts-patch-tuesday-fixes-two-cves-under-active-attack/d/d-id/1331748


Keeping Up with CVE

Follow us for the latest from CVE:

@CVEnew - Twitter feed of the latest CVE Entries
@CVEannounce - Twitter feed of news and announcements about CVE
CVE-CWE-CAPEC - LinkedIn showcase page
CVE Blog - CVE main website
CVEProject - GitHub
CVE Documentation - GitHub
CVE Announce Newsletter - Email

If this newsletter was shared with you, subscribe by sending an email message to LMS@mitre.org with the following text in the SUBJECT of the message: “subscribe cve-announce-list” (do not include the quote marks). You may also subscribe on the CVE website at https://cve.mitre.org/news/newsletter.html. To unsubscribe, send an email message to LMS@mitre.org with the following text in the SUBJECT of the message “signoff cve-announce-list” (do not include the quote marks).

Common Vulnerabilities and Exposures (CVE®) is sponsored by US-CERT in the office of Cybersecurity and Communications at the U.S. Department of Homeland Security. Copyright © 2018, The MITRE Corporation. CVE and the CVE logo are registered trademarks of The MITRE Corporation. MITRE maintains CVE and provides impartial technical guidance to the CVE Board and CVE Numbering Authorities on all matters related to ongoing development of CVE.