1. Six Additional Organizations Added as CVE Numbering Authorities (CNAs)
2. CVE Program Expands Partnership with Google
3. We Speak CVE Podcast – "The Latest on Transitioning to CVE Services 2.1 and CVE JSON 5.0"
4. For CNAs – Please Review Your CVE Records That Have Been Upconverted from JSON 4.0 to JSON 5.0
5. For CNAs – New “CVE Program Automation Website” Available for Transition Details
6. For CNAs – Changes to CVE Services Deployment Schedule & CVE Global Summit
Six Additional Organizations Added as CVE Numbering Authorities (CNAs)
Six additional organizations are now CNAs:
- Automotive Security Research Group (ASRG) for all automotive and related infrastructure vulnerabilities that are not in another CNA’s scope.
- Baxter Healthcare for Baxter’s commercially available products only.
- Citrix for Citrix issues only.
- Dutch Institute for Vulnerability Disclosure (DIVD) for vulnerabilities in software discovered by DIVD, and vulnerabilities reported to DIVD for coordinated disclosure, which are not in another CNA’s scope.
- JetBrains JetBrains products only.
- Medtronic for all products of Medtronic or a Medtronic company including supported products and end-of-life/end-of-service products, as well as vulnerabilities in third-party software discovered in Medtronic products that are not in another CNA’s scope.
CNAs are organizations from around the world that are authorized to assign CVE IDs to vulnerabilities affecting products within their distinct, agreed-upon scope, for inclusion in first-time public announcements of new vulnerabilities.
There are currently 214 partners from 34 countries participating in the CVE Program. View the entire list of CNA partners on the new CVE website.
CVE Program Expands Partnership with Google
The CVE® Program is expanding its partnership with Google for managing the assignment of CVE Identifiers (CVE IDs) for the CVE Program.
Google is now designated as a Root for all of the Alphabet organizations that have already partnered with the CVE Program—Android, Chrome, and Google LLC—as well as any future Alphabet organizations.
As a Root for Alphabet’s organizations, Google is responsible for ensuring the effective assignment of CVE IDs, implementing the CVE Program rules and guidelines, and managing the CVE Numbering Authorities (CNAs) under its care. It is also responsible for recruitment and onboarding of new CNAs and resolving disputes within its scope.
A CNA is an organization responsible for the regular assignment of CVE IDs to vulnerabilities, and for creating and publishing information about the vulnerability in the associated CVE Record. Each CNA has a specific scope of responsibility for vulnerability identification and publishing. Currently, Google, JPCERT/CC, and Spanish National Cybersecurity Institute (INCIBE) are Roots under the MITRE Top-Level Root. There are currently 209 organizations from 33 countries actively participating as CNAs in the CVE Program.
Google’s Root designation consolidates Google as the key agent of information exchange among the Alphabet organizations participating as CNAs, thereby ensuring that all parties will work together to expedite the assignment of CVE IDs and publication of CVE Records and help improve cybersecurity worldwide.
“Google, with a robust vulnerability rewards program and with strong research, has long been an industry and community leader from a security perspective. The CVE Program is excited to announce that Google will expand its CNA scope to become a Root for all Alphabet organizations. This will contribute greatly to establishing common standards for security research and to the ability to scale the CVE Program,” stated Shannon Sabens, a CVE Board member and co-chair of the CVE Outreach and Communications Working Group.
Share this article or comment on Medium:
CVE Blog - https://www.cve.org/Media/News/item/blog/2022/01/25/CVE-Program-Expands-Partnership-with
CVE on Medium - https://medium.com/@cve_program/cve-program-expands-partnership-with-google-dd5318edfc59
We Speak CVE Podcast – The Latest on Transitioning to CVE Services 2.1 and CVE JSON 5.0
The “We Speak CVE” podcast focuses on cybersecurity, vulnerability management, and the CVE Program.
Listen on YouTube, Buzzsprout, and on major podcast directories such as Spotify, Stitcher, Apple Podcasts, Google Podcasts, among others.
The Latest on Transitioning to CVE Services 2.1 and CVE JSON 5.0
Specific topics include how the CVE Services 2.1 web application adds the CVE Record Submission and Upload Service (RSUS) for publishing CVE Records and updating them over time to the previously released CVE ID Reservation (IDR) service, and how these two services will work effectively together for CNAs. Also discussed is how the new CVE JSON 5.0 data format provides the ability for CNAs to be more consistent with handling product versioning in CVE Records, among numerous other data enhancements to CVE Records; the programmatic conversion of CVE Records from JSON 4.0 to 5.0 and what is needed from CNAs regarding their converted records; the plan for an interactive, hands-on “CVE Global Summit 2022” to make the transition to the new the services and data format easier for CNAs; the planned deployment process and schedule; and more.
For CNAs – Please Review Your CVE Records That Have Been Upconverted from JSON 4.0 to JSON 5.0
The CVE Program transition to CVE JSON 5.0 continues with the community review of historical JSON 4.0 records that have been converted to JSON 5.0 format. The message below, which was originally communicated to CNAs by the Quality Working Group (QWG) on March 21, 2022, announces that review.
The GitHub submission pilot has been using an experimental JSON format (version 4.0) for publishing CVE Records. The CVE Quality Working Group has been working to improve this format for use with the upcoming CVE Services API, with a better-specified schema while fulfilling new requirements from the CVE Program (version 5.0).
As part of this process, all existing CVE Records (about 181 thousand) are being programmatically upconverted and are available at https://github.com/CVEProject/cvelistV5/tree/master/review_set (last updated March 15th).
An index of these records by the CNAs is available here https://cveproject.github.io/quality-workgroup/reports/. You can also compare the records and their display previews for any converted CVE ID using the tool https://vulnogram.github.io/seaview/.
During this process, 314 records had issues with the data and are autocorrected to ensure we have valid content in the CVE Records. Such corrections include trimming excessively long fields and dropping invalid dates and data. Such records are reported here: https://cveproject.github.io/quality-workgroup/reports/warnings.
- Please review your CVE Records to ensure the upconversion script did not alter the meaning of the CVE Records.
If you believe the upconversion script has a bug, please raise an issue at https://github.com/CVEProject/cve-schema/issues or suggest changes to the upconverter script using a pull request. The upconverter will be used to continually transform any JSON 4.0 submissions to JSON 5.0 format for use in the CVE Services API during the transition phase while CNAs migrate to CVE JSON 5.0. - Please review this warnings report to check if you have any CVE Records that triggered warnings or errors.
If you have a CVE Record that needs to be fixed, you have a few options:
- (Preferred) wait for the record submission feature in the CVE Services to be available (ETA June 2022)
- Submit corrections to the records via the Git pilot submission process
- No action is needed if the autocorrects make sense to you
- The display/layout of the CVE Record information as shown on vulnogram.github.io/seaview would be similar to how these records may be rendered on the new cve.org website. Feedback on this new CVE Record display or layout is most welcome.
If you have any further questions, please feel free to raise them with the CVE Quality Working Group (cve-board-qualitywg-list@mitre.org) or as issues at https://github.com/CVEProject/cve-schema/issues.
For CNAs – New “CVE Program Automation Website” Available for Transition Details
A CVE Program Automation Website is now available as a resource for CVE Numbering Authorities (CNAs) to stay informed about CVE Program automation efforts, especially the upcoming transition to CVE Services 2.1 and CVE JSON 5.0. This is the initial launch version of the website, which will be built out with additional information over time.
The website includes a CVE Services Overview, JSON 5.0 Overview, and links to resources for both efforts. Also included are a Latest Announcements page and a CVE Automation Transition Details page for CNAs that includes transition details and deployment timelines, both of which will be regularly updated.
Visit the CVE Program Automation Website here.
For CNAs – Changes to CVE Services Deployment Schedule & CVE Global Summit
The message below was originally communicated to CNAs by the CVE Program on March 21, 2022.
There has been a revision to the CVE Services deployment schedule that will affect when CVE Services 2.1 is available for use by CNAs.
CVE Services 2.1 consists of the Record Submission and Upload Service (RSUS) and the new CVE JSON 5.0 data format. The CVE Program is in the middle of testing CVE Services 2.1. The program thanks the CVE community for participating in the functional and penetration testing during the test period that began on February 25, 2022.
As a result of the ongoing testing, multiple issues have been identified. The CVE Automation Working Group (AWG) is currently developing the sprint plans and deployment schedule to remediate the identified issues as quickly as possible. Once developed, the AWG will manage the sprints to fix the identified issues. Then, a second period of testing will be opened to the community. The second testing period is the best way to ensure that the services are effective and secure.
Once these sprints and schedule are better defined, they will be published to enhance community understanding of the issues and foster voluntary participation in the CVE Program (e.g., the AWG). Information related to the sprints and deployment plan will be announced on the CVE CNA Slack channel, CVE CNA Discussion email list, this CVE Program Automation Website, and on CVE social media.
To ensure the CVE Program delivers effective, automated, and secure CVE 2.1 services that reduce the transaction costs of program participation, the “CVE Global Summit” is being shifted to a later date so that program participants can get an interactive, “hands on” description of the services to make the transition to the services easier. A new summit date will be announced in the near future.
Please check this page regularly for updates. You may also contact us with any comments or concerns.
Follow us for the latest from CVE:
@CVEnew - Twitter feed of the latest CVE Records
@CVEannounce - Twitter feed of news and announcements about CVE
CVE-CWE-CAPEC - LinkedIn showcase page
CVE Blog - CVE main website
CVE Blog on Medium - Medium
We Speak CVE - Podcast
CVEProject - GitHub
CVE Program Channel - YouTube
CVE Announce Newsletter - Email
If this newsletter was shared with you, subscribe by sending an email message to LMS@mitre.org with the following text in the SUBJECT of the message: “subscribe cve-announce-list” (do not include the quote marks). You may also subscribe on the CVE website at https://cve.mitre.org/news/newsletter.html. To unsubscribe, send an email message to LMS@mitre.org with the following text in the SUBJECT of the message “signoff cve-announce-list” (do not include the quote marks).
No comments:
Post a Comment