CVE Announce e-newsletter — September 6, 2019
Welcome to the latest issue of the CVE Announce e-newsletter. This newsletter is intended to keep you up to date on recent news about CVE, such as advancements in the program, new CNAs, CVE in the news, and more. Common Vulnerabilities and Exposures (CVE®) is the de facto international standard for vulnerability identification and naming. The CVE Board provides oversight and input into CVE’s strategic direction, ensuring CVE meets the vulnerability identification needs of the global technology community. CVE Numbering Authorities (CNAs) consist of vendors, open source projects, vulnerability researchers, industry and national CERTs, and bug bounty programs authorized to assign CVE Identifiers (CVE IDs) to newly discovered issues and include the CVE IDs in the first public disclosure of the vulnerabilities.
Contents:
1. Salesforce and Bitdefender Added as CVE Numbering Authorities (CNAs)
2. CVE Blog: Become a CNA to Assign Your Own CVE IDs
3. CVE in the News
4. Keeping Up with CVE
Salesforce and Bitdefender Added as CVE Numbering Authorities (CNAs)
Two additional organizations are now CVE Numbering Authorities (CNAs): Salesforce, Inc. for Salesforce products only, and Bitdefender for all Bitdefender products as well as vulnerabilities in third-party software discovered by Bitdefender that are not in another CNA’s scope.
CNAs are organizations from around the world that are authorized to assign CVE Entries to vulnerabilities affecting products within their distinct, agreed-upon scope, for inclusion in first-time public announcements of new vulnerabilities.
CNAs are the main method for requesting a CVE ID. The following 101 organizations currently participate as CNAs: Adobe; Airbus; Alibaba; Android; Apache; Apple; Appthority; Atlassian; Autodesk; Avaya; Bitdefender; BlackBerry; Bosch; Brocade; CA; Canonical; CERT/CC; Check Point; Cisco; Cloudflare; CyberSecurity Philippines - CERT; Dahua; Debian GNU/Linux; Dell; Document Foundation; Drupal.org; Eclipse Foundation; Elastic; F5; Facebook; Fedora Project; Flexera Software; floragunn; Forcepoint; Fortinet; FreeBSD; Google; HackerOne; Hewlett Packard Enterprise; Hikvision; Hillstone; HP; Huawei; IBM; ICS-CERT; Intel; ISC; Jenkins Project; Johnson Controls; JPCERT/CC; Juniper; Kaspersky; KrCERT/CC; Kubernetes; Larry Cashdollar; Lenovo; MarkLogic; McAfee; Micro Focus; Microsoft; MITRE (CVE Program Root CNA); MongoDB; Mozilla; Naver; NetApp; Netflix; Node.js; Nvidia; Objective Development; Odoo; OpenSSL; OPPO; Oracle; Palo Alto Networks; PHP Group; Pivotal Software; Puppet; Qihoo 360; QNAP; Qualcomm; Rapid 7; Red Hat; Salesforce; SAP; Schneider Electric; Siemens; Sonicwall; SUSE; Symantec; Snyk; Synology; Talos; Tenable; TIBCO; Trend Micro; TWCERT/CC; VMware; Yandex; Zephyr Project; Zero Day Initiative; and ZTE.
For more information about requesting CVE ID numbers from CNAs, visit Request a CVE ID.
Read on CVE website or share:
https://cve.mitre.org/news/archives/2019/news.html#September032019_Bitdefender_Added_as_CVE_Numbering_Authority_CNA
https://cve.mitre.org/news/archives/2019/news.html#August292019_Salesforce_Added_as_CVE_Numbering_Authority_CNA
CVE Blog: Become a CNA to Assign Your Own CVE IDs
CVE Numbering Authorities, or “CNAs,” are organizations authorized to assign and populate CVE Entries to vulnerabilities affecting products within their distinct, agreed-upon scope.
A CNA may be a software vendor, open source project, coordination center, bug bounty service provider, or research group. CNAs are essential to the CVE Program’s success and every CVE Entry added to the CVE List is added by a CNA.
Benefits of Being a CNA
Currently, 101 organizations from around the world are actively participating in the CVE Program as CNAs. There is no monetary fee and no contract to sign to become a CNA. CNAs volunteer their own time for their own benefit.
The only requirements are to have a public vulnerability disclosure policy and a public source for new vulnerability disclosures, to agree to the CVE Terms of Use, and agree to follow the program’s rules and guidelines.
Becoming a CNA allows you to:
- Demonstrate mature vulnerability management practices and a commitment to cybersecurity to current and potential customers.
- Communicate value-added vulnerability information to your customer base.
- Control the CVE publication release process for vulnerabilities in your scope.
- Assign CVE IDs without having to share embargoed information with another CNA.
- Streamline your vulnerability disclosure processes.
CNAs are also able to participate in other aspects of the CVE Program. Examples include influencing the CNA rules and guidelines upon which the program operates, and joining one or more of the CVE Working Groups to help improve CVE workflows and processes.
How to Become a CNA
If your organization would like to become a CNA, please follow these four easy steps:
- Contact the CNA Coordination Team.
- Fill out the registration form.
- Attend an introductory session.
- Successfully create CVE ID entries from examples.
Comments or Questions?
If you have any questions, or would like to start the process, please use our CVE Request Web Form and select “Request information on the CVE Numbering Authority (CNA) Program” from the dropdown. We look forward to hearing from you!
Read on CVE website or share:
https://cve.mitre.org/blog/index.html#August292019_Become_a_CNA_to_Assign_Your_Own_CVE_IDs
CVE in the News
Android Zero-Day Bug Opens Door to Privilege Escalation Attack, Researchers Warn
https://threatpost.com/android-zero-day-bug-opens-door-to-privilege-escalation-attack-researchers-warn/148014/
Espressif IoT devices susceptible to WiFi vulnerabilities can allow hijackers to crash devices connected to enterprise networks
https://hub.packtpub.com/espressif-iot-devices-susceptible-to-wifi-vulnerabilities-can-allow-hijackers-to-crash-devices-connected-to-enterprise-networks/
Tripwire Patch Priority Index for August 2019
https://www.tripwire.com/state-of-security/vert/vert-news/tripwire-patch-priority-index-for-august-2019/
August, 2019 Patch Tuesday Targets Remote Desktop and Active Directory
https://news.sophos.com/en-us/2019/08/30/august-2019-patch-tuesday-targets-remote-desktop-and-active-directory/
Top 5 New Open Source Security Vulnerabilities in August 2019
https://resources.whitesourcesoftware.com/blog-whitesource/top-5-new-open-source-vulnerabilities-in-august-2019
Keeping Up with CVE
Follow us for the latest from CVE:
@CVEnew - Twitter feed of the latest CVE Entries
@CVEannounce - Twitter feed of news and announcements about CVE
CVE-CWE-CAPEC - LinkedIn showcase page
CVE Blog - CVE main website
CVEProject - GitHub
CVE Documentation - GitHub
CVE Announce Newsletter - Email
If this newsletter was shared with you, subscribe by sending an email message to LMS@mitre.org with the following text in the SUBJECT of the message: “subscribe cve-announce-list” (do not include the quote marks). You may also subscribe on the CVE website at https://cve.mitre.org/news/newsletter.html. To unsubscribe, send an email message to LMS@mitre.org with the following text in the SUBJECT of the message “signoff cve-announce-list” (do not include the quote marks).
Common Vulnerabilities and Exposures (CVE®) is sponsored by the U.S. Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA). Copyright © 2019, The MITRE Corporation. CVE and the CVE logo are registered trademarks of The MITRE Corporation. MITRE maintains CVE and provides impartial technical guidance to the CVE Board and CVE Numbering Authorities on all matters related to ongoing development of CVE.
No comments:
Post a Comment