CVE Announce e-newsletter — October 17, 2019
Welcome to the latest issue of the CVE Announce e-newsletter. This newsletter is intended to keep you up to date on recent news about CVE, such as advancements in the program, new CNAs, CVE in the news, and more. Common Vulnerabilities and Exposures (CVE®) is a global, community-driven and continuously growing open data registry of vulnerabilities. The CVE Board provides oversight and input into CVE’s strategic direction, ensuring CVE meets the vulnerability identification needs of the global technology community. CVE Working Groups, which are open to the community for participation, develop the program’s policies for consideration and approval by the CVE Board. CVE Numbering Authorities (CNAs) consist of vendors, open source projects, vulnerability researchers, industry and national CERTs, and bug bounty programs authorized to assign CVE Identifiers (CVE IDs) to newly discovered issues and include the CVE IDs in the first public disclosure of the vulnerabilities.
Special Edition
CVE Celebrates 20 Years!
The CVE Program was created 20 years ago this month, and since then, the CVE List has become a global, community-driven and continuously growing open data registry with more than 124,000 vulnerabilities listed. The list continues to grow, with new CVE Entries added daily.
| 20 Years of CVE Entries 20 Years 124,374 15 Years 64,492 10 Years 38,727 5 Years 7,191 1999 Launch 321 |
20 Years of Community Participation
CVE is an international community effort, with representatives from across the security community participating on the initial CVE Editorial Board, which guided the program and voted on which CVE Entries would be included on the CVE List.
Today, community participation remains integral to the success of CVE. The CVE Program relies heavily on the community—researchers, vendors, end users, etc.—to discover and register new vulnerabilities. The CVE Board, which has expanded to include other types of organizations, such as academic and government agencies, as well as end-users of vulnerability information, continues to provide operational and strategic guidance to the CVE Program. CVE Working Groups, which are open to the community for participation, develop the program’s policies for consideration and approval by the CVE Board. Most importantly, organizations from around the world now actively participate as “CVE Numbering Authorities (CNAs)” to assign and populate CVE Entries for vulnerabilities within their own specific scopes of coverage.
CNA Participation Continues to Expand Worldwide
CNAs are integral to the ongoing success of the CVE Program; today, 104 organizations from 18 countries actively participate as CNAs. The CVE Program continues to actively recruit organizations from around the world to participate as CNAs.
CNAs are software vendors, open source projects, coordination centers, bug bounty service providers, and research groups that assign CVE Entries to vulnerabilities within their own specific scopes of coverage. By assigning and populating their own CVE Entries, CNAs responsibly control the vulnerability disclosure process for those vulnerabilities, improve security for their own customers, and enhance vulnerability management practices for the entire community.
CNAs join the program from a variety of business sectors; there are minimal requirements, it is easy to join, and there is no fee or contract to sign. CNAs volunteer their own time for their own benefit.
Widespread Use of CVE by the Community
The cybersecurity community endorsed the importance of incorporating CVE into products and services from the moment the CVE Program was launched in 1999. Today, that adoption has increased significantly with numerous products and services from around the world incorporating CVE Entries.
Another compelling factor for adoption is the ongoing inclusion of CVE IDs in security advisories. Numerous major open source (OS) vendors and other organizations from around the world include CVE IDs in their alerts to ensure that the international community benefits by having the CVE IDs as soon as a problem is announced. In addition, CVE IDs are also frequently cited in trade publications and general news media reports regarding software bugs, including “named” vulnerabilities such as CVE-2014-0160 for “Heartbleed;” CVE-2014-6271, CVE-2014-7169, CVE-2014-7186, CVE-2014-7187, CVE-2014-6277, and CVE-2014-6278 for “Shellshock;” and CVE-2019-0708 for “BlueKeep,” among others.
CVE has also been used as the basis for entirely new services. The National Institute of Standards and Technology’s (NIST) National Vulnerability Database (NVD) is synchronized with, and based upon, the CVE List. NVD also includes Security Content Automation Protocol (SCAP) mappings for CVE Entries. In addition, the U.S. Federal Desktop Core Configuration (FDCC) requires verification of compliance with FDCC requirements using SCAP-validated scanning tools. CVE Change Logs is a tool created by CERIAS/Purdue University that monitors additions and changes to the CVE List and allows users to obtain daily or monthly reports. Common Weakness Enumeration (CWE™) is a formal dictionary of common software weaknesses that is based, in part, on the 124,000+ CVE Entries on the CVE List, and the recently released “2019 CWE Top 25 Most Dangerous Software Errors” leveraged CVE Entries to help determine the Top 25.
Finally, the International Telecommunication Union’s (ITU-T) Cybersecurity Rapporteur Group, which is the telecom/information system standards body within the treaty-based 150-year-old intergovernmental organization, adopted CVE as a part of its new “Global Cybersecurity Information Exchange techniques (X.CYBEX)” by issuing Recommendation ITU-T X.1520 Common Vulnerabilities and Exposures (CVE).
Our Anniversary Celebration
Please join us on December 4-5, 2019 at Black Hat Europe 2019 as we continue to celebrate our 20-year anniversary with a CVE booth, #615.
Additional events will be announced soon, but in the meantime, follow us on the CVE website, CVE-Announce, GitHub, LinkedIn, and Twitter, as we continue our celebration throughout our anniversary year.
Finally, thank you very much for your continuing use of CVE and your ongoing interest and participation over these last 20 years. It is greatly appreciated. We look forward to the next 20 years!
Read on CVE website or share:
https://cve.mitre.org/news/archives/2019/news.html#October162019_CVE_Celebrates_20_Years!
Keeping Up with CVE
Follow us for the latest from CVE:
@CVEnew - Twitter feed of the latest CVE Entries
@CVEannounce - Twitter feed of news and announcements about CVE
CVE-CWE-CAPEC - LinkedIn showcase page
CVE Blog - CVE main website
CVEProject - GitHub
CVE Documentation - GitHub
CVE Announce Newsletter - Email
If this newsletter was shared with you, subscribe by sending an email message to LMS@mitre.org with the following text in the SUBJECT of the message: “subscribe cve-announce-list” (do not include the quote marks). You may also subscribe on the CVE website at https://cve.mitre.org/news/newsletter.html. To unsubscribe, send an email message to LMS@mitre.org with the following text in the SUBJECT of the message “signoff cve-announce-list” (do not include the quote marks).
Common Vulnerabilities and Exposures (CVE®) is sponsored by the U.S. Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA). Copyright © 2019, The MITRE Corporation. CVE and the CVE logo are registered trademarks of The MITRE Corporation. MITRE maintains CVE and provides impartial technical guidance to the CVE Board and CVE Numbering Authorities on all matters related to ongoing development of CVE.
