1. 21 Additional Organizations Added as CVE Numbering Authorities (CNAs)
2. Our CVE Story: Why Red Hat Became a Root
3. How Red Hat Supports Open-Source Vulnerabilities Within the CVE Program
4. CVE Podcast – Coordinated Vulnerability Disclosure
21 Additional Organizations Added as CVE Numbering Authorities (CNAs)
The CVE Program achieved a new milestone this month with 275 organizations from around the world now participating as CNAs. One additional country—South Africa—was also added as of February 21, 2023, bringing the total countries represented to 36. CNAs are bug bounty provider, CERT, hosted service, open source, researcher, and vendor organizations authorized by the CVE Program to assign CVE IDs to vulnerabilities and publish CVE Records within their own specific scopes of coverage.
Since our last issue, 21 additional organizations have partnered with the program as CNAs:
- Austin Hackers Anonymous for vulnerabilities in the AHA! website and other AHA! controlled assets, as well as vulnerabilities identified in assets owned, operated, or maintained by another organization unless covered by the scope of another CNA (USA)
- Baidu, Inc. for projects listed on Baidu’s PaddlePaddle GitHub website only (China)
- B. Braun SE for B. Braun’s commercially available products only (Germany)
- Canon Inc. for vulnerabilities in products and services designed and developed by Canon Inc. (Japan)
- Docker Inc. for all Docker products, including Docker Desktop and Docker Hub, as well as Docker maintained open-source projects (USA)
- dotCMS LLC for all dotCMS product services including the vulnerabilities reported in our open-source core located at https://github.com/dotCMS/core (USA)
- Exodus Intelligence for vulnerabilities discovered by Exodus Intelligence as well as acquisitions from independent researchers via its Research Sponsorship Program (RSP) (USA)
- Genetec Inc. for Genetec products and solutions only (Canada)
- Google Open Source Software (GoogleOSS) for vulnerabilities in open source software published and maintained by Google (USA)
- Grafana Labs for all Grafana Labs open source and commercial products (USA)
- Hillstone Networks Inc. for vulnerabilities in our products listed at https://www.hillstonenet.com/hillstone-networks-product-portfolio/ and those products we sell only in China listed at https://www.hillstonenet.com.cn/product-and-service/, not including our websites (China)
- The HISP Centre at the University of Oslo for security issues in DHIS2 open-source web and mobile software applications (Norway)
- National Instruments for NI products only (including National Instruments) (USA)
- Open-Xchange for products and services provided by Open-Xchange, PowerDNS, and Dovecot (Germany)
- Proofpoint Inc. for all Proofpoint products (USA)
- Qualys, Inc. for all Qualys products and vulnerabilities discovered by Qualys that are not covered by another CNA’s scope (USA)
- ServiceNow for all ServiceNow products (supported products and end-of-life/end-of-service products), as well as vulnerabilities in third-party software discovered by ServiceNow that are not in another CNA’s scope (USA)
- Shop Beat Solutions (Pty) LTD for vulnerabilities in Shop Beat products and services and vulnerabilities discovered by Shop Beat unless covered by the scope of another CNA (South Africa)
- STAR Labs SG Pte. Ltd. for vulnerabilities discovered by STAR Labs SG that are not in another CNA’s scope (Singapore)
- Tribe29 GmbH for all products of Tribe29 including Checkmk and Checkmk Appliance (Germany)
- wolfSSL Inc. for Transport Layer Security (TLS) and Cryptographic issues found in wolfSSL products (USA)
CNAs are organizations from around the world that are authorized to assign CVE IDs to vulnerabilities affecting products within their distinct, agreed-upon scope, for inclusion in first-time public announcements of new vulnerabilities.
There are currently 275 partners from 36 countries participating in the CVE Program. View the entire list of CNA partners on the CVE website.
Our CVE Story: Why Red Hat Became a Root
Guest author Yogesh Mittal is a Manager at Red Hat Product Security, and Red Hat is a long-time CVE Numbering Authority (CNA) and now a Root.
Red Hat was recently designated as a CVE Program Root covering open-source software for any projects or existing CNAs that prefer to choose Red Hat as their Root. In the CVE Program, a “Root” is an organization authorized within the CVE Program that is responsible, within a specific scope, for the recruitment, training, and governance of one or more CNAs.
It’s a pleasure and a proud moment for Red Hat to contribute to share our CVE story of how and why we became a Root and how we contribute to the CVE Program’s coverage of open-source software.
Red Hat Product Security also celebrates 21 years of protecting our customers, and we are excited as we continue our journey by extending support to the broader open-source software ecosystem.
CVE Program Partner Since 2002
Red Hat partnered with the CVE Program as a CNA in 2002. Back then, we handled security flaws in our packages, and we needed to know the state of our products. We started using “Getting Things Done” (GTD), a methodology developed by David Allen. Using the GTD workflow system, we set the foundation for building the workflow in Product Security for handling vulnerabilities. The idea was to track the issues; we wanted to give them all an ID for clarity. We decided to invest our time in CVEs fully as a means to do so. It was the right way to have an industry-wide naming system for vulnerabilities.
Red Hat Product Security was one of the initial organizations that started assigning CVEs for all vulnerabilities and we assign CVEs early in the process publicly. This allowed us to track an issue right through, from identification, to fix. It also helped other Linux distributions to have a common designation for a flaw, even though we all ship different versions and upstream versions of each package. Even in case of a backport, the CVE numbering schema fits backport fixes, and we could discuss the same issue. This is an open-source community approach that we fully believe in, and it is for the community that we maintain this approach to identification.
During this time, we assigned CVE IDs alongside CVE Program analysts on the oss-security mailing list where open source projects would request them (for example, https://www.openwall.com/lists/oss-security/2012/07/24/5). This process did not scale well long-term and led to the creation of the CVE Program Request forms, CVEList GitHub pilot, and later the CVE Services API. We contributed to each one of these efforts, including assisting with pen testing and the early design of the CVE Services API. We saw much value in automation, especially at our scale of dealing with thousands of vulnerabilities each year across a large product portfolio built on top of thousands of open-source projects. Since joining in 2002, we have reserved CVE IDS and published almost 10,000 CVE Records for various open-source projects.
The CVE Program has matured and expanded over time and continues to grow, with Red Hat continuing to be one of the major contributors to the program. Red Hatters are passionate about, and actively involved in, various working groups in the CVE Program; an example worth mentioning is “cvelib,” the Python library and a command line interface for the CVE Services API, developed and maintained by Red Hat, as a contribution to assist all with reserving CVE IDs and publishing CVE Records.
Today, Red Hat manages CNA responsibilities for products shipped by Red Hat and is the Fedora CNA’s Root. We also assign CVEs to those open-source projects that are not covered by another CNA’s scope, when requested by the project. Many open-source projects are not CNAs, and they request Red Hat to manage the identification and publishing of their vulnerabilities in the CVE Program. As a part of the open-source community, we believe in supporting others who may need assistance with publishing their CVEs.
Red Hat Is Now a CVE Program Root
Red Hat is known worldwide as a leader in the open-source industry. More than 90% of Fortune 500 companies rely on Red Hat (Source: Red Hat client data and Fortune 500 list for 2021). In recognition of our reputation and support to the open-source community, in September 2022, the CVE Program designated Red Hat as a Root organization for all open-source organizations and projects that prefer Red Hat as their Root.
We take that designation as one to support any open-source project, community, or other CNA. Both security and response are an ecosystem need, regardless of your status, productization, or commercialization.
Red Hat is now the fifth Root in the CVE Program under the MITRE Top-Level Root, with a Root scope of “Any open-source organizations that prefer Red Hat as their Root; organizations are free to choose another Root if it suits them better.” This affords Red Hat the opportunity to guide and influence the overall CVE Program in a beneficial way for open-source writ large.
Red Hat Is Active in the Open-Source Community
We also contribute to many other industry groups, representing ourselves as an open-source leader as well as the wider open-source community of thousands of projects and their hard work. We believe that everyone, everywhere, is entitled to quality information needed to mitigate security and privacy risks, as well as the access to do so. We strive to protect communities of customers, contributors, and partners from digital security threats.
We believe that open-source principles are the best path forward. Red Hat Product Security has consistently demonstrated a proactive approach to finding issues in the products we ship. We have also responsibly disclosed many issues in projects that we didn’t ship, both open source and otherwise.
Why Choose Red Hat as Your Root?
When thinking about the future of product security in general, there are vast possibilities of working with the industry to share expertise and to improve processes. There will be an increased focus on enhancing the security of open-source code development, publishing of open vulnerability data (for example, in the CVE JSON 5.0 format), and the championing of initiatives that standardize the processes of building trust in open-source software. This requires the developers to write code with software security in mind, and industry-wide coordination, and collaboration in sharing the vulnerability information and security best practices.
The CVE Program and other industry coordination groups will play a key role in this evolution.
For all the reasons stated above, we believe the Red Hat Root is an excellent choice for open-source projects and existing CNAs with open-source offerings. Please email us at RootCNA-Coordination@redhat.com to discuss how working with Red Hat as your Root will specifically benefit your project’s or organization’s management of its CVE Records.
Share this article or comment on Medium:
CVE Blog - https://www.cve.org/Media/News/item/blog/2023/01/10/Why-Red-Hat-Became-Root
CVE on Medium - https://medium.com/@cve_program/our-cve-story-why-red-hat-became-a-root-122dbc2eab22
How Red Hat Supports Open-Source Vulnerabilities Within the CVE Program
Guest author Yogesh Mittal is a Manager at Red Hat Product Security, and Red Hat is a long-time CVE Numbering Authority (CNA) and now a Root.
Open-source software is software with source code that anyone can inspect, copy, modify, share, enhance, and learn from. On the other hand, there is “proprietary” or “closed source” software that has source code that only the person, team, or organization who created it can modify; the originators maintain exclusive control over it.
When we talk about “open-source software,” there are two terms that are commonly used across the industry: upstream and downstream. Within information technology, these terms refer to the flow of data. “Upstream” in open source is the source repository and project where contributions happen, and releases are made. Contributions flow from upstream to downstream.
Image source: https://opensource.com/article/16/12/open-source-software-supply-chain
One of the best examples is the Linux kernel, which is an upstream project for many Linux distributions. Distributors like Red Hat take the unmodified kernel source and add patches and opinionated configuration to build the kernel with the options that they want to offer their users. The source code that the distributors maintain, and release, is often referred to as “downstream.”
CVE Records for Open-Source Software
CNAs are organizations that are authorized to reserve CVE IDs and publish CVE Records for vulnerabilities within their scope. For the CVE Program to be successful, one critical requirement is that there needs to be one CVE Record for each vulnerability in the catalog, regardless of the source code being open-source or proprietary. The CVE Program is structured to help upstream communities assign the CVE ID for their code, which is then shared and referred to by downstream entities. Many open-source projects and organizations are Red Hat partners who discover, assign, and publish the vulnerabilities independently. Some open-source projects prefer to get assistance from expert organizations for CNA activities, specifically assigning and publishing CVEs. The success and inclusion of these open-source projects in the CNA program are critical for the overall program. Organizations like Red Hat have been extending their support to these open-source projects that request assistance, assigning and publishing CVE Records that are not covered by a specific CNA.
Red Hat and the CVE Program
Red Hat has partnered with the CVE Program as a CNA since 2002. While the CVE Program has matured, expanded, and continues to grow, Red Hat is one of the major contributors to the program so far. Red Hatters are passionate and actively involved in various special working groups in the CVE Program. One example worth mentioning is the popular “cvelib” Python library and command line interface for the CVE Services API, which is developed and maintained by Red Hatters.
In September 2022, in recognition of Red Hat’s reputation and support to the open-source community and as a CNA, the CVE Program designated Red Hat as a Root organization for open-source organizations and projects. Red Hat is now the fifth Root in the CVE Program.
Beyond its contribution to the success of open-source projects in the CNA program, Red Hat always extends its support to the wider community.
Below are a few examples:
- Red Hat has published a large number of articles, blogs, and other resources that describe different facets of how we handle security vulnerabilities in our products.
- Red Hat Product Security released a public version of its Incident Response Plan (IRP). This IRP outlines the orchestration process any organization can use to coordinate a response to all security vulnerabilities reported or discovered within their offerings.
- Red Hat also published a document that describes the current state of their vulnerability management process. This document is kept updated to reflect the evolution of this process. Red Hat follows the open-source philosophy of continuous improvement, and that includes efforts to improve how they address vulnerabilities and share that publicly.
Red Hat is pleased to extend our support to the success of open-source organizations, both as a CNA and as a Root, and to help the MITRE Top-Level Root distribute the responsibilities for open-source software vulnerability disclosure, contributing to the overall success of the CNA program.
If you are interested in your open-source project or organization becoming a CNA, or working with Red Hat to help you manage your CVEs, please contact us at RootCNA-Coordination@redhat.com to begin the discussion.
Share this article or comment on Medium:
CVE Blog - https://www.cve.org/Media/News/item/blog/2023/02/07/Open-Source-and-the-CVE-Program
CVE on Medium - https://medium.com/@cve_program/how-red-hat-supports-open-source-vulnerabilities-within-the-cve-program-af7a29878ca
CVE Podcast – Coordinated Vulnerability Disclosure
OpenSSF is a “cross-industry organization that brings together the industry’s most important open-source security initiatives and the individuals and companies that support them.” The CVD Guide was released by OpenSSF’s Vulnerability Disclosure working group in September 2022, which in 2021 released its “Guide to Implementing a Coordinated Vulnerability Disclosure Process for Open Source Projects” document, both of which are discussed by Shannon and Madison.
Other discussion topics in this episode include the importance of finders (e.g., security researchers, hackers, academics, bug bounty hunters, etc.) in vulnerability management, how finders can expedite their requests to software owners with quality information in their initial requests, OpenSSF’s vulnerability report template and how using it can help with requests, importance of obtaining a CVE ID for open source and all vulnerabilities, best practices for working with CVE Numbering Authorities (CNAs), managing expectations for turnaround times, the CVE Program’s CVE Record Dispute Policy, why all participants should remember that they are interacting with people in all aspects of the vulnerability management process, and more.
The “We Speak CVE” podcast focuses on cybersecurity, vulnerability management, and the CVE Program.
The CVE Program will host booth #6566 in Moscone North Expo at RSA Conference 2023 on Apr 25-27, 2023, in San Francisco, California, USA. Our booth is located in Moscone North Expo, and we will be there throughout all three days of the expo: April 25 and 26 from 10:00 AM - 6:00 PM PT, and on April 27 from 10:00 AM - 3:00 PM PT. RSA itself runs April 24-27.
Program and community members will be available in the booth to discuss how easy it is to partner with the CVE Program as a CVE Numbering Authority (CNA) and the many benefits of joining.
Please stop by and say hello!
Follow us for the latest from CVE:
@CVEnew - Twitter feed of the latest CVE Records
@CVEannounce - Twitter feed of news and announcements about CVE
CVE Program - LinkedIn page
CVE-CWE-CAPEC - LinkedIn showcase page
CVE Blog - CVE website
CVE Blog on Medium - Medium
We Speak CVE - Podcast
CVEProject - GitHub
CVE Program Channel - YouTube
CVE Program Automation - Website
CVE Announce Newsletter - Email
If this newsletter was shared with you, subscribe by sending an email message to LMS@mitre.org with the following text in the SUBJECT of the message: “subscribe cve-announce-list” (do not include the quote marks). You may also subscribe on the CVE website at https://cve.mitre.org/news/newsletter.html. To unsubscribe, send an email message to LMS@mitre.org with the following text in the SUBJECT of the message “signoff cve-announce-list” (do not include the quote marks).
No comments:
Post a Comment