1. CVE Board Statement on Distributed Weakness Filing Project Confusion
2. Four Additional Organizations Added as CVE Numbering Authorities (CNAs)
3. Chandan Nandakumaraiah of Palo Alto Networks Joins CVE Board
4. We Speak CVE Podcast – Interview with Larry Cashdollar A Researcher’s Perspective
CVE Board Statement on Distributed Weakness Filing Project Confusion
The CVE Board continues to encourage innovative approaches to improving the vulnerability management ecosystem, and encourages feedback specifically related to improving the CVE Program.
Subject to previous communications, the CVE Board is aware of existing and increasing confusion within the community regarding unauthorized entities assigning “CVE” identification (ID) numbers and publishing “CVE” records. To this end, the Distributed Weakness Filing (DWF) project, which is not an authorized CVE Numbering Authority (CNA) and is not following the established CVE Program rules, is infringing on the CVE namespace by issuing IDs using the CVE Program syntax in the CVE-2021-xxxxxxx (million) range.
These are not valid CVE IDs and records. They will not be included in the CVE List. The CVE Board wants to make this clear to community stakeholders to eliminate the confusion caused by the unauthorized use of the CVE namespace.
To obtain a valid CVE ID, please contact a legitimate CNA or contact the CVE Program Secretariat to become an authorized CNA. The list of CNAs is located at https://cve.mitre.org/cve/request_id.html#cna_participants.
- The CVE Board
Read on the CVE website or share:
CVE Board Statement on Distributed Weakness Filing Project Confusion
Four Additional Organizations Added as CVE Numbering Authorities (CNAs)
Four additional organizations are now CNAs: (1) Becton, Dickinson and Company (BD) for BD software-enabled medical devices only; (2) Fluid Attack for or vulnerabilities in third-party software discovered by Fluid Attacks that are not in another CNA’s scope; (3) GS McNamara LLC for GS McNamara LLC products and services, including the Floodspark portfolio, and any vulnerabilities discovered in components or projects that we are researching or coordinating that are not in another CNA’s scope; and (4) huntr.dev for vulnerabilities in third-party code reported to huntr.dev.
CNAs are organizations from around the world that are authorized to assign CVE IDs to vulnerabilities affecting products within their distinct, agreed-upon scope, for inclusion in first-time public announcements of new vulnerabilities.
To date, 169 organizations from 28 countries participate in the CVE Program as CNAs.
Read their announcement articles on the CVE website or share:
Becton, Dickinson and Company (BD) Added as CVE Numbering Authority (CNA)
Fluid Attacks Added as CVE Numbering Authority (CNA)
GS McNamara LLC Added as CVE Numbering Authority (CNA)
huntr.dev Added as CVE Numbering Authority (CNA)
Chandan Nandakumaraiah of Palo Alto Networks Joins CVE Board
The CVE Program is pleased to welcome Chandan Nandakumaraiah of Palo Alto Networks as the newest member of the CVE Board. Chandan, a long-term active contributor to the CVE Program and current co-chair of the CVE Quality Working Group (QWG), will continue to help CVE to evolve in a positive, user-centric way as a CVE Board member.
About Chandan
With over 20 years of experience working in product security, Chandan is an insightful, strong technical leader with an eye towards vulnerability issues that affect end-user organizations. Chandan has a long history of contributing to the CVE Program, demonstrating a commitment to improving CVE, and working as a producer and consumer of CVE information. He leads the product security team at Palo Alto Networks.
Chandan is the co-chair of the CVE QWG that is currently working to improve the quality of CVE data and standardize the CVE JSON record format. He leads the product security tooling workgroup at the Forum of Incident Response and Security Teams (FIRST) and is an active participant of the CVSS SIG that is developing the industry standard for assessing the severity of security vulnerabilities.
Chandan is the creator of the open-source project OpenGrok, the popular source code search solution used by several major open-source projects and software development teams. Chandan continues to focus on automation within the CVE Program and improving the user experience for CVE stakeholders. He developed an online tool Vulnogram to help CNAs easily produce and update CVE assignment details in the CVE JSON record format.
About the CVE Board
The CVE Board includes members from numerous cybersecurity-related organizations including commercial security tool vendors, academia, research institutions, government departments and agencies, and other prominent security experts, as well as end-users of vulnerability information. Through open and collaborative discussions, the Board provides critical input regarding the data sources, product coverage, coverage goals, operating structure, and strategic direction of the CVE Program.
Read on CVE website or share on Medium:
Chandan Nandakumaraiah of Palo Alto Networks Joins CVE Board, CVE Blog
Chandan Nandakumaraiah of Palo Alto Networks Joins CVE Board, Medium
We Speak CVE Podcast – Interview with Larry Cashdollar A Researcher’s Perspective
The “We Speak CVE” podcast focuses on cybersecurity, vulnerability management, and the CVE Program. In our latest episode, Kelly Todd of the CVE Program interviews security researcher Larry Cashdollar about how he got started researching vulnerabilities and his experiences over the years, how he became the CVE Program’s first-ever independent vulnerability researcher CVE Numbering Authority (CNA), best practices, and the benefits of being able to assign his own CVE IDs to the vulnerabilities he discovers.
The podcast is available for free on the CVE website as an MP3 file, on the CVE Program Channel on YouTube, and on major podcast directories such as Spotify, Stitcher, Google Podcasts, Apple Podcasts, iHeartRadio, Podcast Addict, Podchaser, Pocket Casts, Deezer, Listen Notes, Player FM, and Podcast Index, among others.
Please give the podcast a listen and let us know what you think by commenting on the CVE Blog on Medium or use the CVE Request Web Form and select “Other” from the dropdown menu. We look forward to hearing from you!
Vulnerabilities in billions of Wi-Fi devices let hackers bypass firewalls, Ars Technica
Bluetooth flaws allow attackers to impersonate legitimate devices, Bleeping Computer
PDF Feature ‘Certified’ Widely Vulnerable to Attack, Threat Post
Trend Micro home security guardian beset by triple vulnerability threat, The Daily Swig
Siemens Patches Critical Security Flaw in Certain Products, Gov Info Security
Follow us for the latest from CVE:
@CVEnew - Twitter feed of the latest CVE Records
@CVEannounce - Twitter feed of news and announcements about CVE
CVE-CWE-CAPEC - LinkedIn showcase page
CVE Blog - CVE main website
CVE Blog on Medium - Medium
We Speak CVE - Podcast
CVEProject - GitHub
CVE Documentation - GitHub
CVE Program Channel - YouTube
CVE Announce Newsletter - Email
If this newsletter was shared with you, subscribe by sending an email message to LMS@mitre.org with the following text in the SUBJECT of the message: “subscribe cve-announce-list” (do not include the quote marks). You may also subscribe on the CVE website at https://cve.mitre.org/news/newsletter.html. To unsubscribe, send an email message to LMS@mitre.org with the following text in the SUBJECT of the message “signoff cve-announce-list” (do not include the quote marks).
CVE® is sponsored by the U.S. Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA). Copyright © 2021, The MITRE Corporation. CVE is a registered trademark, and the CVE logo is a trademark, of The MITRE Corporation. MITRE maintains CVE and provides impartial technical guidance to the CVE Board, CVE Working Groups, and CVE Numbering Authorities on all matters related to ongoing development of CVE.
No comments:
Post a Comment