CVE Announce e-newsletter — July 1, 2020
Welcome to the latest issue of the CVE Announce e-newsletter. This newsletter is intended to keep you up to date on recent news about CVE, such as advancements in the program, new CNAs, CVE in the news, and more. Common Vulnerabilities and Exposures (CVE®) is the de facto international standard for vulnerability identification and naming. The CVE Board provides oversight and input into CVE's strategic direction, ensuring CVE meets the vulnerability identification needs of the global technology community. CVE Numbering Authorities (CNAs) consist of vendors, open source projects, vulnerability researchers, industry and national CERTs, and bug bounty programs authorized to assign CVE Identifiers (CVE IDs) to newly discovered issues and include the CVE IDs in the first public disclosure of the vulnerabilities.
Contents:
1. CVE Blog: "Our CVE Story: Bringing Our ZDI Community to the CVE Community"
2. openEuler Added as CVE Numbering Authority (CNA)
3. Japanese Translations of CNA Onboarding Slides Now Available
4. CVE in the News
5. Keeping Up with CVE
CVE Blog: "Our CVE Story: Bringing Our ZDI Community to the CVE Community"
Guest author Shannon Sabens of Zero Day Initiative (ZDI)/Trend Micro, Inc. is a CVE Board Member, and both ZDI and Trend Micro are CNAs.
At ZDI, we have benefitted greatly from working with the CVE Program and becoming a CVE Numbering Authority (CNA). While we aren't one of the oldest CNAs, we do have a relationship with the CVE Program going back many years. Our history with the program is surely different from that of many vendor CNAs, but I think we have largely shared in the same mutual benefits.
ZDI, as a security research organization and a bug bounty, was formed 15 years ago. We are one of the oldest bug bounties. As a research organization, we used to approach the CVE Program independently and individually for the CVEs we needed assigned to track vulnerabilities that we had vetted and acquired. Once upon a time, we would write to a CVE Coordination email address to provide all the relevant information and to get a CVE. Later, to do this, just like many independent researchers today, we would write to the CVE Coordinators at Request a CVE ID. We would provide the vulnerability type, the vendor or developer name, the affected product name and the version information.
Then, several years ago, ZDI approached the CVE Program about becoming a CNA. At that time, they discussed it, but the bug bounties in general, were still a fairly new concept, and ZDI, as a bug bounty, did not fit the requirements for becoming a CNA.
That said, we were very flattered and pleased, when the CVE Board voted to make ZDI a "full-coverage source." Perhaps, we can think of this period as a compromise or a transition phase. It meant that in lieu of me, as the ZDI PM, having to contact the CVE Program and request a CVE ID for a report that did not already have a CVE ID or where the affected vendor was not a CNA, the program pro-actively looked at ZDI as a source and assigned CVEs to our fully vetted reports missing CVEs and issued them to ZDI directly. This was an effective step.
Later, when the criteria for becoming a CNA was amended and it became permissible for the bug bounties and research organizations to potentially qualify to become CNAs, ZDI again approached the CVE Program to inquire about becoming a CNA. This time it was agreed that ZDI could meet the current criteria. We studied a up a little and we demonstrated that we could administer the assignments ourselves.
As a CNA, you will provide a statement about your scope. What you, as a CNA, are providing CVEs for is your scope. At ZDI, we asked only that we administer for ourselves what the CVE Program had been doing for ZDI as a "full-coverage source." It means that where the vendor or CERT we reported a vulnerability to is not a CNA, we can assign a CVE to the vulnerability. Specifically, our scope says exactly: "Products and projects covered by its bug bounty programs that are not in another CNA's scope."
Likewise, ZDI assisted the PSIRT for our company's own products through the CNA on-boarding process. The Trend Micro PSIRT became a CNA too!
The current requirements for becoming a CNA are quite accessible:
- Have a public vulnerability disclosure policy.
- Have a public source for new vulnerability disclosures.
- Agree to the CVE Terms of Use.
As a CNA we have gained a deeper understanding of CVE and become active members of a lively community with a shared commitment to CVE. This has benefitted us as a research organization and has helped us to develop our staff.
If you need CVE education for staff, there are .pdf and video materials available.
We feel the biggest benefit is that we document the message associated with the CVE and we can attest to its transparency and accuracy. Our participation in CVE is a demonstration of our commitment to this.
We sincerely hope that sharing our experience may benefit others who are considering becoming a CNA. If you have questions about the program, we are happy to share our experience or you can contact the fabulous professional team of CNA Coordinators with the CVE Program.
Best Wishes,
Shannon Sabens
Sr. Program Manager
ZDI Program/Trend Micro
Comments or Questions?
If you have any questions about this article, please use the CVE Request Web Form and select "Other" from the dropdown menu to contact the CVE Program. We look forward to hearing from you!
Read on CVE website or share:
https://cve.mitre.org/blog/index.html#June222020_Our_CVE_Story_Bringing_Our_ZDI_Community_to_the_CVE_Community
openEuler Added as CVE Numbering Authority (CNA)
openEuler is now a CVE Numbering Authority (CNA) for openEuler issues only.
CNAs are organizations from around the world that are authorized to assign CVE Entries to vulnerabilities affecting products within their distinct, agreed-upon scope, for inclusion in first-time public announcements of new vulnerabilities.
CNAs are the main method for requesting a CVE ID. The following 129 organizations from 21 countries currently participate as CNAs: ABB; Adobe; Airbus; Alias Robotics; Alibaba; AMD; Ampere; Android; Apache; Apple; Appthority; Atlassian; Autodesk; Avaya; Bitdefender; BlackBerry; Bosch; Brocade; CA; Canonical; CERT/CC; CERT@VDE; Check Point; Chrome; Cisco; Cloudflare; Cybellum; Dahua; Debian GNU/Linux; Dell; Document Foundation; Drupal.org; Eaton; Eclipse Foundation; Elastic; F5; Facebook; Fedora Project; Flexera Software; floragunn; Forcepoint; Fortinet; FreeBSD; GitHub; GitHub (Products Only); GitLab; Google; HackerOne; HCL; Hewlett Packard Enterprise; Hikvision; Hillstone; HP; Huawei; IBM; INCIBE; ICS-CERT; Intel; ISC; Jenkins Project; Johnson Controls; JPCERT/CC; Juniper; Kaspersky; KrCERT/CC; Kubernetes; Larry Cashdollar; Lenovo; MarkLogic; McAfee; Micro Focus; Microsoft; MITRE (CVE Program Root CNA); MongoDB; Mozilla; Naver; NetApp; Netflix; Node.js; NortonLifeLock; Nvidia; Objective Development; Odoo; openEuler; OpenSSL; OpenVPN; Opera; OPPO; Oracle; OTRS; Palo Alto Networks; Pegasystems; PHP Group; Pivotal Software; Puppet; Qihoo 360; QNAP; Qualcomm; Rapid 7; Red Hat; Salesforce; SAP; Schneider Electric; SICK; Siemens; Sierra Wireless; Silver Peak; Sonicwall; Splunk; SUSE; Symantec; Snyk; Synology; Talos; Tcpdump; Tenable; Teradici; TIBCO; Tigera; Trend Micro; TWCERT/CC; Vivo; VMware; Xiaomi; Yandex; Zephyr Project; Zero Day Initiative; Zscaler; and ZTE.
For more information about requesting CVE ID numbers from CNAs, visit Request a CVE ID on the CVE website.
Read on CVE website or share:
https://cve.mitre.org/news/archives/2020/news.html#June242020_openEuler_Added_as_CVE_Numbering_Authority_CNA
Japanese Translations of CNA Onboarding Slides Now Available
Thank you to JPCERT/CC for providing Japanese translations of our CVE Numbering Authority (CNA) Program onboarding slides for new CNAs: CVE Program Overview, Becoming a CNA, CNA Processes, Assigning CVE IDs, CVE Entry Creation, and CVE Entry Submission Process.
Please visit CNA Onboarding Slides & Videos for English versions of the slides and videos.
To learn more about the CNA Program, and the business benefits of becoming a CNA, visit Why Become a CNA?
Read on CVE website or share:
https://cve.mitre.org/news/archives/2020/news.html#June302020_Japanese_Translations_of_CNA_Onboarding_Slides_Now_Available
CVE in the News
US Government Warns of Palo Alto Vulnerability
https://www.infosecurity-magazine.com/news/us-government-warns-palo-alto/
Ripple20 Vulnerabilities Affect Hundreds of Millions of IoT Devices
https://www.infosecurity-magazine.com/news/ripple20-vulnerabilities-discovered/
Unpatched Wi-Fi Extender Opens Home Networks to Remote Control
https://threatpost.com/unpatched-wi-fi-extender-remote-control/156990/
Billions of devices affected by UPnP vulnerability
https://nakedsecurity.sophos.com/2020/06/10/billions-of-devices-affected-by-upnp-vulnerability/
Study Finds Open Source Vulnerabilities Doubled in 2019
https://www.bankinfosecurity.com/study-finds-open-source-vulnerabilities-doubled-in-2019-a-14407
The importance of effective vulnerability remediation prioritization
https://www.helpnetsecurity.com/2020/06/09/importance-vulnerability-remediation-prioritization/
Keeping Up with CVE
Follow us for the latest from CVE:
@CVEnew - Twitter feed of the latest CVE Entries
@CVEannounce - Twitter feed of news and announcements about CVE
CVE-CWE-CAPEC - LinkedIn showcase page
CVE Blog - CVE main website
CVEProject - GitHub
CVE Documentation - GitHub
CVE Announce Newsletter - Email
If this newsletter was shared with you, subscribe by sending an email message to LMS@mitre.org with the following text in the SUBJECT of the message: "subscribe cve-announce-list" (do not include the quote marks). You may also subscribe on the CVE website at https://cve.mitre.org/news/newsletter.html. To unsubscribe, send an email message to LMS@mitre.org with the following text in the SUBJECT of the message "signoff cve-announce-list" (do not include the quote marks).
Common Vulnerabilities and Exposures (CVE®) is sponsored by the U.S. Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA). Copyright © 2020, The MITRE Corporation. CVE and the CVE logo are registered trademarks of The MITRE Corporation. MITRE maintains CVE and provides impartial technical guidance to the CVE Board, CVE Working Groups, and CVE Numbering Authorities on all matters related to ongoing development of CVE.
No comments:
Post a Comment