1. Nine Additional Organizations Added as CVE Numbering Authorities (CNAs)
2. CVE Services v1.1.1 Deployed for CNAs
3. CVE Program Expands Partnership with Spanish National Cybersecurity Institute (INCIBE)
5. We Speak CVE Podcast – Two New Episodes!
6. CVE Program Report for Q2 Calendar Year 2021
Nine Additional Organizations Added as CVE Numbering Authorities (CNAs)
Nine additional organizations are now CNAs: (1) Devolutions Inc. for Remote Desktop Manager and Devolutions Server products; (2) ESET, spol. s r.o. for all ESET products only and vulnerabilities discovered by ESET that are not covered by another CNA’s scope; (3) Fidelis Cybersecurity, Inc. for Fidelis issues only; (4) Hitachi ABB Power Grids for Hitachi ABB Power Grids products; (5) Israel National Cyber Directorate (INCD) for vulnerability assignment related to its vulnerability coordination role; (6) Patchstack for vulnerabilities in third-party PHP products discovered by Patchstack and Patchstack Red Team; (7) SolarWinds for SolarWinds products only; (8) Toshiba Corporation for vulnerabilities related to products and services of Toshiba Corporation; and (9) Zyxel Corporation for Zyxel products issues only.
CNAs are organizations from around the world that are authorized to assign CVE IDs to vulnerabilities affecting products within their distinct, agreed-upon scope, for inclusion in first-time public announcements of new vulnerabilities.
To date, 179 organizations from 30 countries participate in the CVE Program as CNAs.
Read their announcement articles on the CVE website or share:
Devolutions Added as CVE Numbering Authority (CNA)
Israel National Cyber Directorate Added as CVE Numbering Authority (CNA)
ESET Added as CVE Numbering Authority (CNA)
Hitachi ABB Power Grids Added as CVE Numbering Authority (CNA)
SolarWinds Added as CVE Numbering Authority (CNA)
Fidelis Cybersecurity, Inc. Added as CVE Numbering Authority (CNA)
Patchstack Added as CVE Numbering Authority (CNA)
Toshiba Added as CVE Numbering Authority (CNA)
Zyxel Corporation Added as CVE Numbering Authority (CNA)
CVE Services v1.1.1 Deployed for CNAs
The goal of the CVE Services is to simplify and automate the reservation of CVE IDs and the submission and uploading of CVE Records to the CVE List for CNAs.
Released June 15-16, CVE Services v1.1.1 updates include implementing new initial User Registry functions/endpoints for CNAs for improved management of their CVE Services users and accounts. In addition, cvelib, a library and a command line interface for the CVE Services API that is free to use by all CNAs, was developed and released by Martin Prpic of Red Hat.
CVE Services v1.1.1 is a minor release and is backwards compatible with CVE Services v1.0.1, which was deployed for CNAs in December 2020.
Learn more on the GitHub:
CVE Services
CVE Services Documents
CVE Program Expands Partnership with Spanish National Cybersecurity Institute (INCIBE)
This article is based upon a news release by the CVE Program and INCIBE.
The CVE® Program announced it is expanding its partnership with Spanish National Cybersecurity Institute (INCIBE) for managing the assignment of CVE Identifiers (CVE IDs) for the CVE Program.
INCIBE is now designated as a Root for Spain Organizations. As a Root for Spain Organizations, INCIBE is responsible for ensuring the effective assignment of CVE IDs, implementing the CVE Program rules and guidelines, and managing the CVE Numbering Authorities (CNAs) under its care. It is also responsible for recruitment and onboarding of new CNAs and resolving disputes within its scope.
A CNA is an organization responsible for the regular assignment of CVE IDs to vulnerabilities, and for creating and publishing information about the vulnerability in the associated CVE Record. Each CNA has a specific scope of responsibility for vulnerability identification and publishing. Currently, INCIBE and JPCERT/CC are Roots under the MITRE Top-Level Root. There are currently 173 organizations from 29 countries actively participating in the CVE Program.
INCIBE has also extended its CNA scope responsibilities to those CVE candidates reported to INCIBE by researchers that are not within the scope of another CNA.
INCIBE’s Root designation consolidates INCIBE as a key agent of trust for the exchange of this type of information among Spanish organizations, thereby promoting a greater and better exchange of information so that all parties involved in this process can make better decisions in order to continue raising the level of cybersecurity of national companies.
Rosa Díaz, corporate general manager of INCIBE, stated, “The importance of this new role of the Institute, with public-private collaboration being one of the strategic points that will break down physical borders, which do not exist in the digital word, with the aim of detecting new vulnerabilities and strengthening cybersecurity capabilities so that our citizens and our companies are better protected.”
“The CVE Board is pleased to see INCIBE enhancing its mission of strengthening cybersecurity by stepping up their contributions to the vulnerability management community. The CVE Board welcomes INCIBE’s new role in the program as a Root CNA. We look forward to working with INCIBE in the days and years ahead,” stated Kent Landfield, a founding CVE Board member and chair of the CVE Strategic Planning Working Group.
Read on CVE website or share on Medium:
CVE Program Expands Partnership with Spanish National Cybersecurity Institute (INCIBE), CVE Blog
CVE Program Expands Partnership with Spanish National Cybersecurity Institute (INCIBE), Medium
Guest author Tomo Ito of JPCERT/CC is a member of two CVE Program working groups, CNA Coordination (CNACWG) and Outreach and Communications (OCWG), and JPCERT/CC is the first-ever Root in the CVE Program.
When I was first offered the opportunity to contribute to this blog, I was reminded by a member of the OCWG that JPCERT/CC has a unique story and has been a part of the CVE Numbering Authority (CNA) community for a long time. This is true; we were the first CNA to become a Root in the program besides the MITRE Top-Level Root (MITRE TL-Root), and did not have any CNAs under our umbrella for about 3 years — how is that not unique? I gladly accepted the offer, and with some help from my colleagues and their memories, here is our CVE story.
In 2004, vulnerability coordination activities in Japan were minimal. As a government-designated vulnerability coordinator, JPCERT/CC was conducting coordinated vulnerability disclosure (CVD) activities, but we were not global. We coordinated only with Japanese vendors by ourselves, and as for the global coordination (with the vendors located overseas), we depended on CERT/CC, and our Japan Vulnerability Notes (JVN) advisories were in Japanese text only.
Since the world was becoming more and more interdependent, JPCERT/CC recognized the need to conduct global coordination. We also became aware of the CVE Program, which allows for vulnerabilities to be identified, defined, and cataloged. CVE provides a means to communicate globally about cybersecurity vulnerabilities. JPCERT/CC took this as an opportunity to grow and launched a project to become a CNA.
The project started in 2007; JPCERT/CC localized JVN website and all its contents through 2007, and then started to publish English JVN advisories and list CVE IDs on them in May 2008 after the JVN English website launch. For two years, JPCERT/CC made individual requests for CVE IDs to the MITRE TL-Root. Then, in June 2010, we became the world's second (CERT/CC being the first) coordinator CNA.
The first year we became a CNA, we assigned 54 CVE IDs; last year, in 2020, we assigned 157 CVE IDs. Our CNA scope is vulnerability assignments related to our vulnerability coordination role, and the assigning number depends on the cases we handle and publish.
When JPCERT/CC became a Root in 2017, we did not have any CNAs under our umbrella. After a couple of years with no interest from any other Japanese companies, we met with the MITRE TL-Root to discuss our lack of CNAs and devise a new recruitment strategy.
We selected candidates based on the organization’s CVD readiness, such as if the organization conducted a bug bounty program. We traveled around Tokyo, from office to office, to explain the value, need, importance and appeal of the CVE Program.
LINE Corporation and Mitsubishi Electric Corporation bravely stepped up, and in December 2020, the two organizations became the first CNAs under our umbrella. There are currently four CNAs with JPCERT/CC — LINE Corporation, Mitsubishi Electric Corporation, NEC Corporation, and now Toshiba Corporation.
JPCERT/CC has translated the note sections of the CNA Onboarding slides into Japanese, and they are being used for our CNA trainings. Full translation of the documents is soon to come.
Our Root scope right now is “Japanese vendors” and as a neutral organization who understands the importance of global CVD, we would like to expand this to Asia-pacific region.
JPCERT/CC attended bi-weekly meetings with the MITRE TL-Root for about six months and are currently attending monthly Roots meetings with the MITRE TL-Root and CISA-ICS TL-Root. Through the meetings with the MITRE TL-Root, JPCERT/CC is preparing to become a Top-Level Root ourselves, and at the Roots meetings, interesting topics such as scope overlaps and CNA recruiting processes are being discussed.
We have also experimentally started to host quarterly meetings with our CNAs called “CNA Talk.” It is an informal, conversational meeting aimed at providing information and solving issues (if any). We are hoping these meetings will turn into CVE Summit Asia-Pacific, in the future.
After the “reboot” of our Root activities, I began participating in two different working groups in the CVE program — the OCWG and the CNACWG. Both working groups are full of valuable discussions, and I recommend them to anyone who has not participated. Through OCWG, a Roots-specific podcast, “Partnering with the CVE Program,” was recorded and released with Jo Bazar from the MITRE TL-Root, Erin Alexander from CISA ICS TL-Root, and Shannon Sabens, CVE Board member and OCWG chair.
JPCERT/CC matured as a global CVD organization through CVE — we are now a global CVD coordinator, a Root, and have companions who are on the same mission — global safety — from not only Japan, but around the world. We are grateful for all these.
We have a high degree of respect and gratitude to all the CVE participants, as I always learn new things from the CVE community.
Tomo Ito
Early Warning Group
JPCERT/CC
Comments or Questions?
If you have any questions about this article, please comment on the CVE Blog on Medium or use the CVE Request Web Form and select “Other” from the dropdown menu to contact the CVE Program. We look forward to hearing from you!
Read on CVE website or share on Medium:
Our CVE Story: JPCERT/CC, CVE Blog
Our CVE Story: JPCERT/CC, Medium
We Speak CVE Podcast – Two New Episodes!
The “We Speak CVE” podcast focuses on cybersecurity, vulnerability management, and the CVE Program.
Listen as an MP3, on YouTube, and on major podcast directories such as Spotify, Stitcher, Apple Podcasts, Google Podcasts, among others.
How the New CVE Record Format Is a Game Changer - Episode 6 YouTube | MP3
In our sixth episode, Shannon Sabens of CrowdStrike chats with Chandan Nandakumaraiah of Palo Alto Networks about how the very basic legacy format of CVE Records is being transformed for the future by adding many new optional content fields such as multiple severity scores, credit for researchers, additional languages, ability for community contributions, etc., to make CVE Records even more valuable. The use of JSON for the new format and how that enables automation for both CNA publishers and CVE content consumers are also discussed, as are the use and availability of the CVE Program’s automated CVE Numbering Authority (CNA) tools for 24/7 CVE ID assignment, CVE Record publishing, and CVE Record updating over time.
In addition, Chandan discusses the highly useful and free online Vulnogram tool for CNAs that he developed, as well as the benefits of partnering with the CVE Program as a CNA and how participating in the CVE Working Groups (WG), especially the Quality (Chandan is co-chair) and Automation WGs, helps position CVE for a more automated and productive future.
Engaging with CVE’s Automated CNA Services - Episode 5 YouTube | MP3
In our fifth episode, David Waltermire of NVD speaks with Milind Kulkarni of a NVIDIA and Kris Britton of the CVE Program to discuss the CVE Program’s automated CVE Numbering Authority (CNA) services. Topics include the automation architecture being developed and deployed by the CVE Automation Working Group (AWG); the benefits of using JSON for the CVE Record format; how automation simplifies and increases the speed of CNA processes; the currently deployed CVE ID Reservation (IDR) service; the upcoming release of the CVE Record Submission and Upload (RSUS) service; and future automation plans.
Please give our new episodes a listen and let us know what you think by commenting on YouTube, Twitter, LinkedIn, and Medium, or use the CVE Request Web Form and select “Other” from the dropdown menu. We look forward to hearing from you!
CVE Program Report for Q2 Calendar Year 2021
The CVE Program’s quarterly calendar year (CY) summary of program milestones and metrics for Q2 CY 2021 is below.
16 CVE Numbering Authorities (CNAs) Added
Sixteen new CNAs were added, including:
- 13 by the MITRE Top-Level Root: Axis Communications AB (Sweden); ESET, spol. s r.o. (Slovak Republic); Fidelis Cybersecurity, Inc. (USA); Fluid Attacks (Colombia); GS McNamara LLC (USA); huntr.dev (UK); Octopus Deploy (Australia); Patchstack OÜ (Estonia); Solarwinds (USA); Vaadin, Ltd. (Finland); Wordfence (USA); Zoom Video Communications, Inc. (USA); and Zyxel Corporation (Taiwan)
- 2 by the CISA ICS Top-Level Root: Becton, Dickinson and Company (USA) and Hitachi ABB Power Grids (Switzerland)
- 1 by the JPCERT/CC Root: Toshiba Corporation (Japan)
1 Root Organization Added
On June 17, Spanish National Cybersecurity Institute (INCIBE) became a Root for Spain Organizations under the MITRE Top-Level Root. As a Root for Spain Organizations, INCIBE is responsible for ensuring the effective assignment of CVE IDs and publication of CVE Records, implementing the CVE Program rules and guidelines, recruitment and onboarding of new CNAs, managing the CNAs under its care, and resolving disputes within its scope.
CVE Services v1.1.1 Deployed for CNAs in June
The goal of the CVE Services is to simplify and automate the reservation of CVE IDs and the submission and uploading of CVE Records to the CVE List for CNAs. Released June 15-16, CVE Services v1.1.1 updates include implementing new initial User Registry functions/endpoints for CNAs for improved management of their CVE Services users and accounts. In addition, cvelib, a library and a command line interface for the CVE Services API that is free to use by all CNAs, was developed and released by Martin Prpic of Red Hat. CVE Services v1.1.1 is a minor release and is backwards compatible with CVE Services v1.0.1, which was deployed for CNAs in December 2020.
Three “We Speak CVE” Podcast Episodes Published
In June, “How the New CVE Record Format Is a Game Changer” focuses on how the very basic legacy format of CVE Records is being transformed for the future to make CVE Records even more valuable. In May, the CVE Program’s automated CNA CVE ID assignment and CVE Record publishing services are discussed in “Engaging with CVE’s Automated CNA Services.” In April, Larry Cashdollar explains how he became the CVE Program’s first-ever independent vulnerability researcher CNA in “Interview with Larry Cashdollar A Researcher’s Perspective.”
Two “Our CVE Story” Articles Published on CVE Blog
In June, “Our CVE Story: From Robot Security Research to Managing Robot Vulnerabilities” was contributed by CVE community member Endika Gil-Uriarte of Alias Robotics, which is also a CNA. In March, “Our CVE Story: An Open-Source, Community-Based Example” was contributed by long-time CVE Board member Mark Cox of Apache Software Foundation, which is also a CNA.
New CVE Board Member
Chandan Nandakumaraiah of Palo Alto Networks joined the CVE Board in May. Chandan, a long-term active contributor to the CVE Program and current co-chair of the CVE Quality Working Group (QWG), will continue to help CVE to evolve in a positive, user-centric way as a CVE Board member.
CVE Global Summit – Spring 2021
On May 13-14, members of the CVE community gathered together virtually for the “CVE Global Summit – Spring 2021” to discuss CVE and cybersecurity, best practices, lessons learned, new opportunities, and more. Held twice per year, the summit is a way for CVE community members to regularly collaborate on specific topics in a focused manner. Session topics at the spring summit included an Update on CVE Federation; NVD’s CVMAP; Dissecting .Net Vulnerabilities; Enhancing CVE Identification–The Yocto Project Example; How Red Hat operates as a CNA; CVE JSON Schema Version 5.0; NIS2 and CVE; How the Apache CNA Handles Over 300 Subprojects; and Relationships Between CVE IDs and Vulnerability Abstraction; among other topics.
Metrics for Q2 CY 2021 published CVE Records and reserved CVE IDs are included below. Annual metrics are also included in the charts for year-to-year comparisons.
Terminology
- Published – When a CNA populates the data associated with a CVE ID as a CVE Record, the state of the CVE Record is Published. The associated data must contain an identification number (CVE ID), a prose description, and at least one public reference.
- Reserved – The initial state for a CVE Record; when the associated CVE ID is Reserved by a CNA.
- Reserved but Public (RBP) – An RBP is a CVE ID in the “Reserved” state that is referenced in one or more public resources, but for which the details have not be published in a CVE Record.
Published CVE Records
As shown in the table below, CVE Program production was 5,000 CVE Records for CY Q2-2021, a 12% increase over CY Q1-2021. This includes all CVE Records published by all CNAs.
Comparison of Published CVE Records by Year for All Quarters (figure 1)
Reserved CVE IDs
The CVE Program tracks reserved CVE IDs. As shown in the table below, 7,895 CVE IDs were in the “Reserved” state in Q2 CY 2021. This includes all CVE IDs reserved by all CNAs.
Comparison of Reserved CVE IDs by Year for All Quarters - All CNAs Year-to-Date Q2 CY 2021 (figure 2)
Finally, the CVE Program also tracks RBPs. As shown below, the number of RBPs increased 9% over last quarter.
Comparison of Reserved but Public (RBP) CVE IDs by Year for All Quarters - All CNAs Year-to-Date Q2 CY 2021 (figure 3)
All CVE IDs Are Assigned by CNAs
All of the CVE IDs cited in the metrics above are assigned by CNAs. CNAs are software vendors, open source projects, coordination centers, bug bounty service providers, hosted services, and research groups and individuals authorized by the CVE Program to assign CVE IDs to vulnerabilities and publish CVE Records within their own specific scopes of coverage. CNAs join the program from a variety of business sectors; there are minimal requirements, and there is no monetary fee or contract to sign.
Currently, 179 organizations from 30 countries are actively participating in the CVE Program as CNAs. Learn how to become a CNA or contact a Top-Level Root (CISA ICS or MITRE) to start the process today.
Read on CVE website or share on Medium:
CVE Program Report for Q2 Calendar Year 2021, CVE Blog
CVE Program Report for Q2 Calendar Year 2021, Medium
Follow us for the latest from CVE:
@CVEnew - Twitter feed of the latest CVE Records
@CVEannounce - Twitter feed of news and announcements about CVE
CVE-CWE-CAPEC - LinkedIn showcase page
CVE Blog - CVE main website
CVE Blog on Medium - Medium
We Speak CVE - Podcast
CVEProject - GitHub
CVE Documentation - GitHub
CVE Program Channel - YouTube
CVE Announce Newsletter - Email
If this newsletter was shared with you, subscribe by sending an email message to LMS@mitre.org with the following text in the SUBJECT of the message: “subscribe cve-announce-list” (do not include the quote marks). You may also subscribe on the CVE website at https://cve.mitre.org/news/newsletter.html. To unsubscribe, send an email message to LMS@mitre.org with the following text in the SUBJECT of the message “signoff cve-announce-list” (do not include the quote marks).
CVE® is sponsored by the U.S. Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA). Copyright © 2021, The MITRE Corporation. CVE is a registered trademark, and the CVE logo is a trademark, of The MITRE Corporation. MITRE maintains CVE and provides impartial technical guidance to the CVE Board, CVE Working Groups, and CVE Numbering Authorities on all matters related to ongoing development of CVE.
