SPECIAL MESSAGE FOR CVE NUMBERING AUTHORITIES (CNAs): VulnCon 2025 takes the place of this year’s Spring CVE Global Summit.
Program Overview: * Day 1: Monday, April 7 — TBA * Day 2: Tuesday, April 8 — TBA * Day 3: Wednesday, April 9 — TBA * Day 4: Thursday, April 10 — TBA
Agenda: TBA
Call for Papers: TBA
Registration:
Standard Admission (by March 9, 2025): US $300.00
Late Rate Admission (after March 9, 2025): US $375.00
Virtual Admission: US $100.00
Registration fees include four days of coffee breaks and buffet lunches, one networking reception hosted at the McKimmon Center, and applicable meeting materials. Note that discounted rates are not being offered for this event regardless of membership or speaking status.
An After Party will be tentatively hosted off-site with tickets to be sold separately. More information to come. Tickets will cost US $25.00.
Purpose: The purpose of VulnCon is to collaborate with various vulnerability management and cybersecurity professionals to develop forward leaning ideas that can be taken back to individual programs for action to benefit the vulnerability management ecosystem.
A key goal of the conference is to understand what important stakeholders and programs are doing within the vulnerability management ecosystem and best determine how to benefit the ecosystem broadly.",
- "permission": "public",
- "url": "https://www.first.org/conference/vulncon2025/",
- "date": {
- "start": "2025-04-07",
- "end": "2025-04-10",
- "repeat": false
- }
- },
- {
- "id": 33,
"displayOnHomepageOrder": 1,
"title": "CVE Program Workshop – Autumn 2024",
"location": "Virtual",
- "description": "A collaborative virtual community event of CVE Partners focused on improving CVE.
Event Time: 10:00 AM to 2:00 PM EDT both days. Additional Details: TBA
Workshop “save the date” sent September 5, 2024.",
+ "description": "A collaborative virtual community event of CVE Partners focused on improving CVE.
Event Time: 10:00 AM to 2:00 PM EDT both days.
Workshop “save the date” announcement, with expected topics and other details, sent to partners on September 19, 2024.",
"permission": "private",
"url": "",
"date": {
@@ -27,6 +14,20 @@
"repeat": false
}
},
+ {
+ "id": 33,
+ "displayOnHomepageOrder": 2,
+ "title": "CVE/FIRST VulnCon 2025",
+ "location": "Raleigh, North Carolina, USA & Virtual",
+ "description": "VulnCon 2025 is co-sponsored by the CVE Program and FIRST and is open to the public.
SPECIAL MESSAGE FOR CVE NUMBERING AUTHORITIES (CNAs): VulnCon 2025 takes the place of this year’s Spring CVE Global Summit.
Program Overview: * Day 1: Monday, April 7 — TBA * Day 2: Tuesday, April 8 — TBA * Day 3: Wednesday, April 9 — TBA * Day 4: Thursday, April 10 — TBA
Agenda: TBA
Call for Papers: TBA
Registration: Registration will open in November 2024.
Standard Admission (by March 9, 2025): US $300.00
Late Rate Admission (after March 9, 2025): US $375.00
Virtual Admission: US $100.00
Registration fees include four days of coffee breaks and buffet lunches, one networking reception hosted at the McKimmon Center, and applicable meeting materials. Note that discounted rates are not being offered for this event regardless of membership or speaking status.
An After Party will be tentatively hosted off-site with tickets to be sold separately. More information to come. Tickets will cost US $25.00.
Purpose: The purpose of VulnCon is to collaborate with various vulnerability management and cybersecurity professionals to develop forward leaning ideas that can be taken back to individual programs for action to benefit the vulnerability management ecosystem.
A key goal of the conference is to understand what important stakeholders and programs are doing within the vulnerability management ecosystem and best determine how to benefit the ecosystem broadly.",
+ "permission": "public",
+ "url": "https://www.first.org/conference/vulncon2025/",
+ "date": {
+ "start": "2025-04-07",
+ "end": "2025-04-10",
+ "repeat": false
+ }
+ },
{
"id": 32,
"title": "Vulnerability Conference and Events Working Group (VCEWG)",
diff --git a/src/assets/data/faqs.json b/src/assets/data/faqs.json
index 1ee1fbed..7f0bdb66 100644
--- a/src/assets/data/faqs.json
+++ b/src/assets/data/faqs.json
@@ -104,7 +104,7 @@
"questionId": "cve_nvd_relationship",
"questionText": "What is the relationship between CVE and the NVD (U.S. National Vulnerability Database)",
"questionResponseParagraphs": [
- "CVE and NVD are two separate programs. The CVE List was launched by the MITRE Corporation as a community effort in 1999. The U.S. National Vulnerability Database (NVD) was launched by the National Institute of Standards and Technology (NIST) in 2005. While separate, output from both programs is available to the public and free to use."
+ "CVE and NVD are two separate programs. The CVE List was launched by the MITRE Corporation as a community effort in 1999. The U.S. National Vulnerability Database (NVD) was launched by the National Institute of Standards and Technology (NIST) in 2005. The CVE List feeds NVD, which historically has built upon the information included in CVE Records to provide enhanced information for each record in its database. While separate, output from both programs is available to the public and free to use."
]
}
]
diff --git a/src/assets/data/metrics.json b/src/assets/data/metrics.json
index ac05a04c..d15ddd9c 100644
--- a/src/assets/data/metrics.json
+++ b/src/assets/data/metrics.json
@@ -9,7 +9,7 @@
},
{
"quarter": "2",
- "value": "TBA"
+ "value": "11,716"
},
{
"quarter": "3",
@@ -553,7 +553,7 @@
"data": [
{
"quarter": "all",
- "value": "13,499"
+ "value": "26,028"
}
]
},
@@ -1161,11 +1161,11 @@
},
{
"month": "September",
- "value": "7"
+ "value": "8"
},
{
"month": "October",
- "value": "TBA"
+ "value": "3"
},
{
"month": "November",
diff --git a/src/assets/data/news.json b/src/assets/data/news.json
index be618075..2bf0dbbd 100644
--- a/src/assets/data/news.json
+++ b/src/assets/data/news.json
@@ -1,5 +1,378 @@
{
"currentNews": [
+ {
+ "id": 417,
+ "newsType": "news",
+ "title": "RTI Added as CVE Numbering Authority (CNA)",
+ "urlKeywords": "RTI Added as CNA",
+ "date": "2024-10-01",
+ "description": [
+ {
+ "contentnewsType": "paragraph",
+ "content": "Real-Time Innovations, Inc. (RTI) is now a CVE Numbering Authority (CNA) for all RTI Connext products, including EOL products. See https://www.rti.com/products for more information."
+ },
+ {
+ "contentnewsType": "paragraph",
+ "content": "To date, 411 CNAs (409 CNAs and 2 CNA-LRs) from 40 countries and 1 no country affiliation have partnered with the CVE Program. CNAs are organizations from around the world that are authorized to assign CVE Identifiers (CVE IDs) and publish CVE Records for vulnerabilities affecting products within their distinct, agreed-upon scope, for inclusion in first-time public announcements of new vulnerabilities. RTI is the 223rd CNA from USA."
+ },
+ {
+ "contentnewsType": "paragraph",
+ "content": "RTI’s Root is the MITRE Top-Level Root."
+ }
+ ]
+ },
+ {
+ "id": 416,
+ "newsType": "news",
+ "title": "Wikimedia Foundation Added as CVE Numbering Authority (CNA)",
+ "urlKeywords": "Wikimedia Foundation Added as CNA",
+ "date": "2024-10-01",
+ "description": [
+ {
+ "contentnewsType": "paragraph",
+ "content": "The Wikimedia Foundation is now a CVE Numbering Authority (CNA) for any code repository hosted under gerrit.wikimedia.org, gitlab.wikimedia.org, or github.com/wikimedia that is not labeled as archived or marked as a fork of an upstream project. Please see our disclosure policy for additional exclusions to scope."
+ },
+ {
+ "contentnewsType": "paragraph",
+ "content": "To date, 410 CNAs (408 CNAs and 2 CNA-LRs) from 40 countries and 1 no country affiliation have partnered with the CVE Program. CNAs are organizations from around the world that are authorized to assign CVE Identifiers (CVE IDs) and publish CVE Records for vulnerabilities affecting products within their distinct, agreed-upon scope, for inclusion in first-time public announcements of new vulnerabilities. Wikimedia Foundation is the 222nd CNA from USA."
+ },
+ {
+ "contentnewsType": "paragraph",
+ "content": "Wikimedia Foundation’s Root is the MITRE Top-Level Root."
+ }
+ ]
+ },
+ {
+ "id": 415,
+ "newsType": "news",
+ "title": "Mammotome Added as CVE Numbering Authority (CNA)",
+ "urlKeywords": "Mammotome Added as CNA",
+ "date": "2024-10-01",
+ "description": [
+ {
+ "contentnewsType": "paragraph",
+ "content": "Mammotome is now a CVE Numbering Authority (CNA) for all Mammotome products."
+ },
+ {
+ "contentnewsType": "paragraph",
+ "content": "To date, 409 CNAs (407 CNAs and 2 CNA-LRs) from 40 countries and 1 no country affiliation have partnered with the CVE Program. CNAs are organizations from around the world that are authorized to assign CVE Identifiers (CVE IDs) and publish CVE Records for vulnerabilities affecting products within their distinct, agreed-upon scope, for inclusion in first-time public announcements of new vulnerabilities. Mammotome is the 221st CNA from USA."
+ },
+ {
+ "contentnewsType": "paragraph",
+ "content": "Mammotome’s Root is the CISA ICS Root."
+ }
+ ]
+ },
+ {
+ "id": 414,
+ "newsType": "podcast",
+ "title": "CNA Onboarding Process Myths Versus Facts",
+ "urlKeywords": "CNA Onboarding Process Myths Versus Facts",
+ "date": "2024-10-01",
+ "description": [
+ {
+ "contentnewsType": "paragraph",
+ "content": "Shannon Sabens of CrowdStrike chats with Dave Morse, program coordination lead for the CVE Program, about the myths and facts of the CVE Numbering Authority (CNA) partner onboarding process."
+ },
+ {
+ "contentnewsType": "paragraph",
+ "content": "Truth and facts about the following topics are discussed: duration and complexity of the onboarding process; the fact that there is no fee to participate; ease of incorporating assigning CVE Identifiers (CVE IDs) and publishing CVE Records into an organization’s existing coordinated vulnerability disclosure (CVD) processes; availability of automated tools for CNAs; the CVE JSON Record format and available guidance; role of Roots and Top-Level Roots and how they help CNAs; importance of CNAs determining their own scopes; disclosure policies; the community aspect of being a CNA and the availability of peer support; the value of CNAs participating in one or more CVE Working Groups, especially the CNA Organization of Peers (COOP); and much more!"
+ },
+ {
+ "contentnewsType": "paragraph",
+ "content": "“We Speak CVE” is a free podcast about cybersecurity, vulnerability management, and the CVE Program. Listen on the CVE Program Channel on YouTube, on We Speak CVE page on Buzzsprout, and on major podcast directories such as Spotify, Stitcher, Apple Podcasts, iHeartRadio, Podcast Addict, Podchaser, Pocket Casts, Deezer, Listen Notes, Player FM, and Podcast Index, among others."
+ }
+ ],
+ "url": "https://www.youtube.com/embed/N22bsppsJSQ"
+ },
+ {
+ "id": 413,
+ "newsType": "blog",
+ "title": "CVE Program Report for Quarter 2 Calendar Year (Q2 CY) 2024",
+ "urlKeywords": "CVE Program Report for Q2 2024",
+ "date": "2024-10-01",
+ "author": {
+ "name": "CVE Program",
+ "organization": {
+ "name": "CVE Program",
+ "url": ""
+ },
+ "title": "",
+ "bio": ""
+ },
+ "description": [
+ {
+ "contentnewsType": "paragraph",
+ "content": "The CVE Program’s quarterly summary of program milestones and metrics for Q2 CY 2024."
+ },
+ {
+ "contentnewsType": "paragraph",
+ "content": "
TXOne Networks, Inc. - Vulnerabilities in TXOne Networks products, including end-of-life products, or third-party operational technology (OT) and industrial control systems (ICS) products, unless covered by the scope of another CNA (Taiwan)
VotingWorks - Vulnerabilities in VotingWorks voting systems, hardware, and software (USA)
HeroDevs - End of life open source projects supported by HeroDevs if hosted on HeroDevs.com, or issues in open source projects discovered by or reported to HeroDevs, unless covered by the scope of another CNA (USA)
KoreLogic Security - Vulnerabilities in the KoreLogic website and other KoreLogic controlled assets, as well as vulnerabilities discovered by or reported to KoreLogic, unless covered by the scope of another CNA (USA)
N-able - N-able branded products and technologies only (USA)
OpenSource Security GmbH - Vulnerabilities discovered by or reported to OpenSource Security, unless covered by another CNA’s scope (Germany)
rami.io GmbH - All rami.io GmbH products and open source projects, including pretix, official pretix plugins and apps, and Venueless (Germany)
SBA Research gGmbH - Vulnerabilities discovered by SBA Research or reported to SBA Research by partner organizations that are not in another CNA’s scope (Austria)
Tego Cyber, Inc. - Tego Cyber issues and vulnerabilities discovered by Tego in third-party products, unless covered under the scope of another CNA (USA)
Wind River Systems Inc. - All Wind River branded products as found on windriver.com including vulnerabilities in natively developed or modified product incorporated components, and only product incorporated third-party components not in another CNA’s scope (USA)
First-Ever CVE Authorized Data Publisher (ADP) Began Enhancing CVE Records in June
"
+ },
+ {
+ "contentnewsType": "paragraph",
+ "content": "In June, the CVE Program added CISA as the first-ever CVE Authorized Data Publisher (ADP). As an ADP, CISA is authorized to enrich the content of CVE Records published by CNAs with additional, related information (e.g., risk scores, references, vulnerability characteristics, translations, etc. The ADP role focuses on adding informational elements to CVE Records within a specific scope that is approved by the CVE Board. It should be noted that while an ADP is eligible to augment the information in CVE Records, the ADP cannot modify the data the CNA has published in their “CNA container.” Instead, all ADP updates to CVE Records will occur in a separate organizational “ADP container.” Read the full announcement."
+ },
+ {
+ "contentnewsType": "paragraph",
+ "content": "
CVE Record Format & CVE Services Updated in May to Enable Enriched Vulnerability Data in CVE Records
"
+ },
+ {
+ "contentnewsType": "paragraph",
+ "content": "In May, the CVE Program released CVE Record Format 5.1.0 (view release notes) and CVE Services 2.3.0 (view release notes). This newest version release of the CVE Record Format further enabled additional vulnerability-related information to be included by CNAs in CVE Records at the time of disclosure. CVE Services was updated to support this new version of the CVE Record Format. Learn more here."
+ },
+ {
+ "contentnewsType": "paragraph",
+ "content": "
Community Informed That All Support for the Legacy CVE Download Formats Would End on June 30, 2024
"
+ },
+ {
+ "contentnewsType": "paragraph",
+ "content": "The phased deprecation of legacy CVE content download formats (i.e., CSV, HTML, XML, and CVRF), began on January 1, 2024, and concluded on June 30, 2024. Phased deprecation means that the frequency of updates to the legacy download formats was reduced over a six-month period until they are no longer updated at the end of June 2024. These legacy download formats have been replaced by JSON as the only supported format for CVE Records and CVE downloads. This change was first announced in July 2023 in a CVE Blog article entitled “Legacy CVE Download Formats Will Be Phased Out Beginning January 1, 2024” on the CVE.ORG website and promoted throughout the remainder of 2023 and during the first six months of 2024 with multiple posts on the CVE.ORG website, in the CVE Blog, in the CVE Announce email newsletter, and on CVE social media."
+ },
+ {
+ "contentnewsType": "paragraph",
+ "content": "
Transition to “CNA Rules Version 4.0” Announced in May
"
+ },
+ {
+ "contentnewsType": "paragraph",
+ "content": "The CVE Board voted to approve the all-new “CVE Numbering Authority (CNA) Operational Rules Version 4.0” at the end of April. CNAs, and the wider CVE community, were informed of the upcoming change in an early May blog article entitled “CNA Rules Version 4.0 Update and Transition,” and on social media, that the new rules would take effect on August 8, 2024 after a 90-day transition period. To assist CNAs with the transition to the new rules, the CVE Program hosted a “CNA Rules v4.0 Q&A Webinar” in June, the video of which is available on the CVE Program Channel on YouTube. The webinar provided information to CNAs about ways the new rules might affect CNA processes in the short term, the benefits for CNAs moving forward, and the expected positive impact on the vulnerability management ecosystem. In addition, the “Expected Impact of the CNA Rules 4.0” podcast episode provided information about the new fundamental concept embedded throughout the rules called the “right of refusal”; how CVE assignment is technology neutral (i.e., cloud, artificial intelligence, etc.); end-of-life assignments; the dispute process; how CNAs can add additional data to their CVE Records such as CVSS, CWE, and CPE information at the time of disclosure for use by downstream consumers; and the expected positive impact of the rules on CNAs and the vulnerability management ecosystem."
+ },
+ {
+ "contentnewsType": "paragraph",
+ "content": "
Community Informed That New CVE Record Format Enables Additional Data Fields at Time of Disclosure
"
+ },
+ {
+ "contentnewsType": "paragraph",
+ "content": "The community was informed in an April CVE Blog article entitled “New CVE Record Format Enables Additional Data Fields at Time of Disclosure” that the CVE Program had “evolved its record format to enhance automation capabilities and data enrichment. This format, utilized by CVE Services, facilitates the reservation of CVE IDs and the inclusion of data elements like CVSS, CWE, CPE, and other data into the CVE Record at the time of issuing a security advisory. This means the authoritative source (within their CNA scope) of vulnerability information — those closest to the products themselves — can accurately report enriched data to CVE directly and contribute more substantially to the vulnerability management process.” Read the full announcement."
+ },
+ {
+ "contentnewsType": "paragraph",
+ "content": "
New Name for CNACWG: “CNA Organization of Peers (COOP)”
"
+ },
+ {
+ "contentnewsType": "paragraph",
+ "content": "In May, the name of the CNA Coordination Working Group (CNACWG) changed to “CNA Organization of Peers (COOP),” which better reflects the supportive and collaborative nature of the group. The purpose of COOP (pronounced Co-Op), per the COOP Charter, is to give “voice to, and establishing working norms for, the extended community of CVE Numbering Authorities (CNAs). This includes providing a CNA Board Liaison to the CVE Board, maintaining onboarding and continuing documentation for CNAs, setting the agenda for periodic CNA summits, and other CNA community activities designed to promote the CVE Program.” Read the entire COOP Charter. COOP membership is limited to representatives of currently active CNAs on the List of Partners. There is no limit to the number of representatives a given CNA may have as members of the group. Potential members to the group can request to join here. All CNAs are encouraged to participate in the COOP."
+ },
+ {
+ "contentnewsType": "paragraph",
+ "content": "
Videos from CVE/FIRST VulnCon 2024 Available for Entire Community
"
+ },
+ {
+ "contentnewsType": "paragraph",
+ "content": "Videos from all 44 sessions of CVE/FIRST VulnCon 2024, held on March 25-27, 2024, were posted for the community in May on the FIRST Channel on YouTube and the CVE Program Channel on YouTube. The purpose of VulnCon was to collaborate with various vulnerability management and cybersecurity professionals to develop forward leaning ideas that can be taken back to individual programs for action to benefit the vulnerability management ecosystem. See the full list of videos here."
+ },
+ {
+ "contentnewsType": "paragraph",
+ "content": "
CVE Podcast About CVE Data Analysis Inspired by a Presentation at CVE/FIRST VulnCon 2024
"
+ },
+ {
+ "contentnewsType": "paragraph",
+ "content": "In this April “We Speak CVE Podcast” episode, entitled “Swimming in Vulns (or, Fun with CVE Data Analysis),” host Shannon Sabens of CrowdStrike chats with Benjamin Edwards and Sander Vinberg, both of Bitsight, about analyzing vulnerability data in the CVE List. This is a follow-on to their “CVE Is The Worst Vulnerability Framework (Except For All The Others)” talk at CVE/FIRST VulnCon 2024. Topics discussed include the types of vulnerabilities and vulnerability intelligence they reviewed and the different ways they approached the data; how CVE is a really good framework for compiling information about, and communicating effectively about, vulnerabilities; how increasing the number of CNAs through federation has improved the quantity and quality of data produced by the program over time; how the overall quality of CVE List data improves for the entire vulnerability management ecosystem when CNAs include CVSS, CWE, CPE, etc., information when their CVE Records are published; and more."
+ },
+ {
+ "contentnewsType": "paragraph",
+ "content": "
CVE Podcast Introduced 3 New CVE Board Members
"
+ },
+ {
+ "contentnewsType": "paragraph",
+ "content": "In this “We Speak CVE Podcast” entitled Meet the 3 New CVE Board Members — recorded live at “CVE/FIRST VulnCon 2024” and published on April 9 — CVE Board member and CVE podcast host Shannon Sabens of CrowdStrike chats with the three newest CVE Board members: Madison Oliver of GitHub Security Lab, Tod Beardsley of Austin Hackers Anonymous (AHA!), and MegaZone of F5 who joins as the new CNA Liaison to the Board. Topics include how and why each new member joined the board, the impact that participating in CVE Working Groups had on their decisions to become Board members, how federation and the ongoing addition of new CNA partners has significantly improved the CVE Program, how the program is voluntary, and how those who participate have the ability to make significant impacts in improving vulnerability management at an international level, and more."
+ },
+ {
+ "contentnewsType": "paragraph",
+ "content": "
Our CVE Story: Ericsson’s Journey as a CVE Numbering Authority (CNA)
"
+ },
+ {
+ "contentnewsType": "paragraph",
+ "content": "In this Our CVE Story Blog article, entitled “Our CVE Story: Ericsson’s Journey as a CVE Numbering Authority (CNA),” guest authors Milind R. Kulkarni and Umair from the Ericsson Product Security Incident Response Team (PSIRT) discuss how Ericsson partnered with the CVE Program as a CNA in January 2024. Topics include what influenced Ericsson’s the decision to become a CNA, the benefits of adopting the CVE Program process, interacting with the global CNA community to learn and exchange industry best practices in vulnerability management, and the opportunity to demonstrate leadership within the telco ecosystem and the security community.”"
+ },
+ {
+ "contentnewsType": "paragraph",
+ "content": "
Q2 CY 2024 Metrics
"
+ },
+ {
+ "contentnewsType": "paragraph",
+ "content": "Metrics for Q2 CY 2024 Published CVE Records and Reserved CVE IDs are included below. Annual metrics are also included in the charts for year-to-year comparisons."
+ },
+ {
+ "contentnewsType": "paragraph",
+ "content": "Terminology
Published: When a CNA populates the data associated with a CVE ID as a CVE Record, the state of the CVE Record is Published. The associated data must contain an identification number (CVE ID), a prose description, and at least one public reference.
Reserved: The initial state for a CVE Record; when the associated CVE ID is Reserved by a CNA.
"
+ },
+ {
+ "contentnewsType": "paragraph",
+ "content": "As shown in the table below, CVE Program production was 11,716 CVE Records for CY Q2 2024. This is a 26% increase over the 8,697 records published in CY Q1 2024. This includes all CVE Records published by all CNAs and the two CNAs of Last Resort (CNA-LRs)."
+ },
+ {
+ "contentnewsType": "table",
+ "title": "",
+ "year": "2024",
+ "quarter": [
+ "Q1",
+ "Q2"
+ ],
+ "dataRowTitle": "CVE Records Published by All CNAs",
+ "dataRowCounts": [
+ "8,697",
+ "11,716"
+ ]
+ },
+ {
+ "contentnewsType": "paragraph",
+ "content": "
Reserved CVE IDs
"
+ },
+ {
+ "contentnewsType": "paragraph",
+ "content": "The CVE Program tracks reserved CVE IDs. As shown in the table below, 12,529 CVE IDs were in the “Reserved” state in Q2 CY 2024, a 7% decrease over the 13,499 IDs reserved in CY Q1 2024. This includes all CVE IDs reserved by all CNAs and the two CNA-LRs."
+ },
+ {
+ "contentnewsType": "table",
+ "title": "",
+ "year": "2024",
+ "quarter": [
+ "Q1",
+ "Q2"
+ ],
+ "dataRowTitle": "CVE IDs Reserved by All CNAs",
+ "dataRowCounts": [
+ "13,499",
+ "12,529"
+ ]
+ },
+ {
+ "contentnewsType": "paragraph",
+ "content": "
CVE IDs Reserved/CVE Records Published Quarterly Trend by CY
"
+ },
+ {
+ "contentnewsType": "image",
+ "imageWidth": "",
+ "href": "/news/cveProgramReport/reservedCVEIDspublishedCVERecordsQuarterlyTrendQ2CY2024.png",
+ "altText": "Quarterly trend of reserved CVE IDs and published CVE Records for calendar years for 2020-2024 by all CNAs and CNA-LRs",
+ "captionText": "Quarterly trend of reserved CVE IDs and published CVE Records by all CNAs and CNA-LRs. View as tables on the Metrics page."
+ },
+ {
+ "contentnewsType": "paragraph",
+ "content": "
CNA Partners Grow the CVE List
"
+ },
+ {
+ "contentnewsType": "paragraph",
+ "content": "All of the CVE IDs and CVE Records cited in the metrics above are assigned and published by CNAs and the two CNA-LRs, within their own specific scopes."
+ },
+ {
+ "contentnewsType": "paragraph",
+ "content": "CNAs partner with the program from a variety of business sectors; there are minimal requirements, and there is no monetary fee or contract to sign. Currently, 411 organizations (409 CNAs and 2 CNA-LRs) from 40 countries and 1 no country affiliation are partners with the CVE Program."
+ },
+ {
+ "contentnewsType": "paragraph",
+ "content": "Learn how to become a CNA or contact one of the following to start the partnering process today:"
+ },
+ {
+ "contentnewsType": "paragraph",
+ "content": "
CISA Top-Level Root: Vulnerabilities that are (1) reported to or observed by CISA and (2) affect critical infrastructure, U.S. civilian government, industrial control systems, or medical devices, and (3) are not covered by another CNA’s scope
CISA ICS Root: Vulnerabilities that are (1) reported to or observed by CISA, (2) affect industrial control systems or medical devices, and (3) are not covered by another CNA’s scope
MITRE Top-Level Root: Vulnerabilities, and Open-Source software product vulnerabilities, not already covered by a CNA listed on this website
Red Hat Root: The Red Hat Root’s scope includes the open-source community. Any open-source organizations that prefer Red Hat as their Root; organizations are free to choose another Root if it suits them better
"
+ },
+ {
+ "contentnewsType": "paragraph",
+ "content": "If you have any questions about this article, please comment on the CVE Blog on Medium or use the CVE Request Web Form and select “Other” from the dropdown menu."
+ },
+ {
+ "contentnewsType": "paragraph",
+ "content": "We look forward to hearing from you, but more importantly, we look forward to your participation in the CVE Program!"
+ }
+ ]
+ },
+ {
+ "id": 412,
+ "newsType": "blog",
+ "title": "Vulnerability Data Enrichment for CVE Records: CNA Recognition List, September 23, 2024",
+ "urlKeywords": "CNA Enrichment Recognition List Update",
+ "date": "2024-09-24",
+ "author": {
+ "name": "CVE Program",
+ "organization": {
+ "name": "CVE Program",
+ "url": ""
+ },
+ "title": "",
+ "bio": ""
+ },
+ "description": [
+ {
+ "contentnewsType": "paragraph",
+ "content": "The “CNA Enrichment Recognition List” for September 23, 2024, is now available. Published every two weeks on the CVE website, the list recognizes those CVE Numbering Authorities (CNAs) that are actively providing enhanced vulnerability data in their CVE Records. CNAs are added to the list if they provide Common Vulnerability Scoring System (CVSS) and Common Weakness Enumeration (CWE™) information 98% of the time or more within the two-week period of their last published CVE Record."
+ },
+ {
+ "contentnewsType": "paragraph",
+ "content": "For more about the recognition list, see “Recognition for CNAs Actively Providing Vulnerability Data Enrichment for CVE Records.” To learn more about vulnerability information types like CVSS and CWE, see the CVE Record User Guide."
+ },
+ {
+ "contentnewsType": "paragraph",
+ "content": "View the CNA Enrichment Recognition List here."
+ }
+ ]
+ },
+ {
+ "id": 411,
+ "newsType": "news",
+ "title": "Pall Added as CVE Numbering Authority (CNA)",
+ "urlKeywords": "Pall Added as CNA",
+ "date": "2024-09-24",
+ "description": [
+ {
+ "contentnewsType": "paragraph",
+ "content": "Pall Corporation is now a CVE Numbering Authority (CNA) for Pall branded products only."
+ },
+ {
+ "contentnewsType": "paragraph",
+ "content": "To date, 408 CNAs (406 CNAs and 2 CNA-LRs) from 40 countries and 1 no country affiliation have partnered with the CVE Program. CNAs are organizations from around the world that are authorized to assign CVE Identifiers (CVE IDs) and publish CVE Records for vulnerabilities affecting products within their distinct, agreed-upon scope, for inclusion in first-time public announcements of new vulnerabilities. Pall is the 220th CNA from USA."
+ },
+ {
+ "contentnewsType": "paragraph",
+ "content": "Pall’s Root is the CISA ICS Root."
+ }
+ ]
+ },
{
"id": 410,
"newsType": "news",
@@ -9,7 +382,7 @@
"description": [
{
"contentnewsType": "paragraph",
- "content": "ASUSTeK Computer Incorporation is now a CVE Numbering Authority (CNA) for ASUS issues only."
+ "content": "ASUSTeK Computer Incorporation is now a CVE Numbering Authority (CNA) for ASUS issues only. Read the ASUS news release: “ASUS Authorized by the CVE Program as a CVE Numbering Authority (CNA).”"
},
{
"contentnewsType": "paragraph",
@@ -81,7 +454,7 @@
"description": [
{
"contentnewsType": "paragraph",
- "content": "The CVE Program and FIRST will co-host VulnCon 2025 at the McKimmon Center in Raleigh, North Carolina, USA, on April 7-10, 2025. The call for papers, and virtual and in-person registration options, are TBA."
+ "content": "The CVE Program and FIRST will co-host VulnCon 2025 at the McKimmon Center in Raleigh, North Carolina, USA, on April 7-10, 2025. Registration, both virtual and in-person, will open in November 2024."
},
{
"contentnewsType": "image",
@@ -104,11 +477,11 @@
},
{
"contentnewsType": "paragraph",
- "content": "We have an action-packed docket of dynamic speakers and cross-industry topics that we feel will accelerate collaboration within the vulnerability management and standards/frameworks space! This will be a must-see event for anyone involved in researching, reporting, triaging, mitigating, and communicating about security vulnerabilities. Some highlights from the agenda include:
40+ sessions across 4 full days of content and networking/collaboration
PSIRTs, Vulnerability SIGs, Working Groups, and other vulnerability ecosystem experts presenting about CVE, CVSS, EPSS, KEV, VEX, CVD, SBOM, Incident Response, and others!
Speakers from CISA, MITRE, ENISA, global CERT teams, the OpenSSF, FIRST, and other renown industry experts
Actionable advice on how to engage with CVD across ecosystem stakeholders and how to use and align the assorted vuln metadata tools, frameworks, and standards
"
+ "content": "We have an action-packed docket of dynamic speakers and cross-industry topics that we feel will accelerate collaboration within the vulnerability management and standards/frameworks space! This will be a must-see event for anyone involved in researching, reporting, triaging, mitigating, and communicating about security vulnerabilities. Some highlights from the agenda include:
40+ sessions across 4 full days of content and networking/collaboration
PSIRTs, Vulnerability SIGs, Working Groups, and other vulnerability ecosystem experts presenting about CVE, CVSS, EPSS, KEV, VEX, CVD, SBOM, Incident Response, and others!
Speakers from the CVE Program, CISA, ENISA, global CERT teams, the OpenSSF, FIRST, and other renown industry experts
Actionable advice on how to engage with CVD across ecosystem stakeholders and how to use and align the assorted vuln metadata tools, frameworks, and standards
Previous Keynotes spoke on the topics of “Supply Chain Security: The Office of the National Cyber Director Perspective”, “Vulnerability Coordination in the EU”, “What it takes to lead America’s Vulnerability Management Team”, and sessions from global CERT teams
Expert panels on Industry CVD, Vulnerability identifiers, VEX, Decentralized Root Cause analysis, the risks of requiring premature vuln disclosure, and more!
Detailed sessions updating frameworks like CWE, CVSS, EPSS, and others
"
+ "content": "Some showcase sessions will include:
A “Day of VEX” from practitioners
A “Day of Vuln Identifiers” from practitioners
Previous Keynotes spoke on the topics of “Supply Chain Security: The Office of the National Cyber Director Perspective”, “Vulnerability Coordination in the EU”, “What it takes to lead America’s Vulnerability Management Team”, and sessions from global CERT teams
Expert panels on Industry CVD, Vulnerability identifiers, VEX, Decentralized Root Cause analysis, the risks of requiring premature vuln disclosure, and more!
Detailed sessions updating frameworks like CVSS, CWE, EPSS, and others
ChromeOS Project – Vulnerabilities that are (1) reported to ChromeOS Security, (2) affect ChromeOS device software and hardware, including our open source dependencies, and (3) are not covered by another CNA’s scope (USA)
EU Agency for Cybersecurity (ENISA) – Vulnerabilities in information technology (IT) products discovered by European Union (EU) Computer Security Incident Response Teams (CSIRTs) or reported to EU CSIRTs for coordinated disclosure, as long as they do not fall under a CNA with a more specific scope (Greece)
Financial Security Institute (FSI) – Vulnerability assignment related to FSI’s vulnerability coordination role in the South Korea financial sector that are not in another CNA’s scope (South Korea)
kernel.org – Any vulnerabilities in the Linux kernel as listed on kernel.org, excluding end-of-life (EOL) versions (USA)
Pentraze Cybersecurity – Vulnerabilities in third-party software discovered by Pentraze Cybersecurity that are not in another CNA’s scope (Dominican Republic)
Sec1 – Vulnerabilities found in cybersecurity software solutions developed and maintained by Sec1 as listed on https://sec1.io/, and vulnerabilities identified in software projects or products where Sec1 has a direct and substantial contribution or partnership, unless covered by the scope of another CNA (India)
Sonatype Inc. – All Sonatype products and vulnerabilities in third-party software discovered by Sonatype that are not in another CNA’s scope (USA)
TECNO Mobile Limited – Vulnerabilities in TECNO products and services only (China)
Teleport – All Teleport (Gravitational, Inc.) products (supported products and end-of-life/end-of-service products), as well as vulnerabilities in third-party software discovered by Teleport that are not in another CNA’s scope (USA)
CISA Top-Level Root: Vulnerabilities that are (1) reported to or observed by CISA and (2) affect critical infrastructure, U.S. civilian government, industrial control systems, or medical devices, and (3) are not covered by another CNA’s scope
CISA ICS Root: Vulnerabilities that are (1) reported to or observed by CISA, (2) affect industrial control systems or medical devices, and (3) are not covered by another CNA’s scope
MITRE Top-Level Root: Vulnerabilities, and Open-Source software product vulnerabilities, not already covered by a CNA listed on this website
Red Hat Root: The entire open-source community. Any open-source organizations that prefers Red Hat as their Root; organizations are free to choose another Root if it suits them better
"
+ "content": "
CISA Top-Level Root: Vulnerabilities that are (1) reported to or observed by CISA and (2) affect critical infrastructure, U.S. civilian government, industrial control systems, or medical devices, and (3) are not covered by another CNA’s scope
CISA ICS Root: Vulnerabilities that are (1) reported to or observed by CISA, (2) affect industrial control systems or medical devices, and (3) are not covered by another CNA’s scope
MITRE Top-Level Root: Vulnerabilities, and Open-Source software product vulnerabilities, not already covered by a CNA listed on this website
Red Hat Root: The Red Hat Root’s scope includes the open-source community. Any open-source organizations that prefer Red Hat as their Root; organizations are free to choose another Root if it suits them better
"
},
{
"contentnewsType": "paragraph",
@@ -2131,15 +2512,15 @@
"date": "2024-04-23",
"description": [
{
- "contentnewsType": "paragraph",
+ "contentnewsType": "paragraph",
"content": "On April 8, 2024, Microsoft announced in a Microsoft Security Response Center blog article entitled “Toward greater transparency: Adopting the CWE standard for Microsoft CVEs” that it will now “publish root cause data for Microsoft CVEs using the Common Weakness Enumeration (CWE™) industry standard.”"
},
{
- "contentnewsType": "paragraph",
+ "contentnewsType": "paragraph",
"content": "In addition to explaining how Microsoft will use CWE, along with providing an example of Microsoft CVE Record with CWE information (i.e., in CVE Record CVE-2024-29990, when viewing the JSON for this record), blog author Lisa Olson, Senior Program Manager Security Release at Microsoft and a CVE Board member, states: “We believe adopting CWE will better serve our customers, developers, and security practitioners across the industry. This standard will facilitate more effective community discussions about finding and mitigating these weaknesses in existing software and hardware, while also minimizing them in future updates and releases. Ultimately, our commitment to CWE represents a meaningful step toward a more cyber-secure world.”"
},
{
- "contentnewsType": "paragraph",
+ "contentnewsType": "paragraph",
"content": "Read the complete “Toward greater transparency: Adopting the CWE standard for Microsoft CVEs” article on the Microsoft website."
}
]
@@ -2246,11 +2627,11 @@
"date": "2024-04-09",
"description": [
{
- "contentnewsType": "paragraph",
+ "contentnewsType": "paragraph",
"content": "The CVE Board held a teleconference meeting on March 20, 2024. Read the meeting minutes summary."
},
{
- "contentnewsType": "paragraph",
+ "contentnewsType": "paragraph",
"content": "The CVE Board is the organization responsible for the strategic direction, governance, operational structure, policies, and rules of the CVE Program. The Board includes members from numerous cybersecurity-related organizations including commercial security tool vendors, academia, research institutions, government departments and agencies, and other prominent security experts, as well as end-users of vulnerability information."
}
]
@@ -2263,7 +2644,6 @@
"date": "2024-04-02",
"author": {
"name": "Milind R. Kulkarni and Umair Bukhari",
-
"organization": {
"name": " Ericsson",
"url": "https://www.ericsson.com/"
@@ -2382,11 +2762,11 @@
"date": "2024-03-26",
"description": [
{
- "contentnewsType": "paragraph",
+ "contentnewsType": "paragraph",
"content": "The CVE Board held a teleconference meeting on March 6, 2024. Read the meeting minutes summary."
},
{
- "contentnewsType": "paragraph",
+ "contentnewsType": "paragraph",
"content": "The CVE Board is the organization responsible for the strategic direction, governance, operational structure, policies, and rules of the CVE Program. The Board includes members from numerous cybersecurity-related organizations including commercial security tool vendors, academia, research institutions, government departments and agencies, and other prominent security experts, as well as end-users of vulnerability information."
}
]
@@ -2534,12 +2914,12 @@
"content": "
ARC Informatique: ARC Informatique products and services (France)
CISA Top-Level Root: Vulnerabilities that are (1) reported to or observed by CISA and (2) affect critical infrastructure, U.S. civilian government, industrial control systems, or medical devices, and (3) are not covered by another CNA’s scope
CISA ICS Root: Vulnerabilities that are (1) reported to or observed by CISA, (2) affect industrial control systems or medical devices, and (3) are not covered by another CNA’s scope
MITRE Top-Level Root: Vulnerabilities, and Open-Source software product vulnerabilities, not already covered by a CNA listed on this website
Red Hat Root: The entire open-source community. Any open-source organizations that prefers Red Hat as their Root; organizations are free to choose another Root if it suits them better
"
+ "content": "
CISA Top-Level Root: Vulnerabilities that are (1) reported to or observed by CISA and (2) affect critical infrastructure, U.S. civilian government, industrial control systems, or medical devices, and (3) are not covered by another CNA’s scope
CISA ICS Root: Vulnerabilities that are (1) reported to or observed by CISA, (2) affect industrial control systems or medical devices, and (3) are not covered by another CNA’s scope
MITRE Top-Level Root: Vulnerabilities, and Open-Source software product vulnerabilities, not already covered by a CNA listed on this website
Red Hat Root: The Red Hat Root’s scope includes the open-source community. Any open-source organizations that prefer Red Hat as their Root; organizations are free to choose another Root if it suits them better
"
},
{
"contentnewsType": "paragraph",
@@ -2692,7 +3092,7 @@
},
"title": "",
"bio": ""
- },
+ },
"description": [
{
"contentnewsType": "paragraph",
@@ -2764,11 +3164,11 @@
"date": "2024-03-12",
"description": [
{
- "contentnewsType": "paragraph",
+ "contentnewsType": "paragraph",
"content": "The CVE Board held a teleconference meeting on February 21, 2024. Read the meeting minutes summary."
},
{
- "contentnewsType": "paragraph",
+ "contentnewsType": "paragraph",
"content": "The CVE Board is the organization responsible for the strategic direction, governance, operational structure, policies, and rules of the CVE Program. The Board includes members from numerous cybersecurity-related organizations including commercial security tool vendors, academia, research institutions, government departments and agencies, and other prominent security experts, as well as end-users of vulnerability information."
}
]
@@ -2829,7 +3229,7 @@
},
"title": "",
"bio": ""
- },
+ },
"description": [
{
"contentnewsType": "paragraph",
@@ -2982,11 +3382,11 @@
"date": "2024-03-05",
"description": [
{
- "contentnewsType": "paragraph",
+ "contentnewsType": "paragraph",
"content": "The CVE Board held a teleconference meeting on February 7, 2024. Read the meeting minutes summary."
},
{
- "contentnewsType": "paragraph",
+ "contentnewsType": "paragraph",
"content": "The CVE Board is the organization responsible for the strategic direction, governance, operational structure, policies, and rules of the CVE Program. The Board includes members from numerous cybersecurity-related organizations including commercial security tool vendors, academia, research institutions, government departments and agencies, and other prominent security experts, as well as end-users of vulnerability information."
}
]
@@ -3238,8 +3638,8 @@
},
{
"contentnewsType": "paragraph",
- "content": "The CVE Board is the organization responsible for the strategic direction, governance, operational structure, policies, and rules of the CVE Program. The Board includes members from numerous cybersecurity-related organizations including commercial security tool vendors, academia, research institutions, government departments and agencies, and other prominent security experts, as well as end-users of vulnerability information."
- }
+ "content": "The CVE Board is the organization responsible for the strategic direction, governance, operational structure, policies, and rules of the CVE Program. The Board includes members from numerous cybersecurity-related organizations including commercial security tool vendors, academia, research institutions, government departments and agencies, and other prominent security experts, as well as end-users of vulnerability information."
+ }
]
},
{
@@ -3250,11 +3650,11 @@
"date": "2024-02-13",
"description": [
{
- "contentnewsType": "paragraph",
+ "contentnewsType": "paragraph",
"content": "The CVE Board held a teleconference meeting on January 24, 2024. Read the meeting minutes summary."
},
{
- "contentnewsType": "paragraph",
+ "contentnewsType": "paragraph",
"content": "The CVE Board is the organization responsible for the strategic direction, governance, operational structure, policies, and rules of the CVE Program. The Board includes members from numerous cybersecurity-related organizations including commercial security tool vendors, academia, research institutions, government departments and agencies, and other prominent security experts, as well as end-users of vulnerability information."
}
]
@@ -3425,7 +3825,7 @@
},
"title": "",
"bio": ""
- },
+ },
"description": [
{
"contentnewsType": "paragraph",
@@ -3610,7 +4010,7 @@
},
"title": "CVE Board Member and CVE Outreach and Communications Working Group (OCWG) Co-Chair",
"bio": "Shannon Sabens, of CrowdStrike, is a CVE Board Member and a Co-Chair of the OCWG"
- },
+ },
"description": [
{
"contentnewsType": "paragraph",
@@ -3746,8 +4146,8 @@
},
{
"contentnewsType": "paragraph",
- "content": "The CVE Board is the organization responsible for the strategic direction, governance, operational structure, policies, and rules of the CVE Program. The Board includes members from numerous cybersecurity-related organizations including commercial security tool vendors, academia, research institutions, government departments and agencies, and other prominent security experts, as well as end-users of vulnerability information."
- }
+ "content": "The CVE Board is the organization responsible for the strategic direction, governance, operational structure, policies, and rules of the CVE Program. The Board includes members from numerous cybersecurity-related organizations including commercial security tool vendors, academia, research institutions, government departments and agencies, and other prominent security experts, as well as end-users of vulnerability information."
+ }
]
},
{
@@ -3758,11 +4158,11 @@
"date": "2024-01-23",
"description": [
{
- "contentnewsType": "paragraph",
+ "contentnewsType": "paragraph",
"content": "The CVE Board held a teleconference meeting on December 13, 2023. Read the meeting minutes."
},
{
- "contentnewsType": "paragraph",
+ "contentnewsType": "paragraph",
"content": "The CVE Board is the organization responsible for the strategic direction, governance, operational structure, policies, and rules of the CVE Program. The Board includes members from numerous cybersecurity-related organizations including commercial security tool vendors, academia, research institutions, government departments and agencies, and other prominent security experts, as well as end-users of vulnerability information."
}
]
@@ -3844,7 +4244,7 @@
},
"title": "",
"bio": ""
- },
+ },
"description": [
{
"contentnewsType": "paragraph",
@@ -4184,8 +4584,8 @@
},
{
"contentnewsType": "paragraph",
- "content": "The CVE Board is the organization responsible for the strategic direction, governance, operational structure, policies, and rules of the CVE Program. The Board includes members from numerous cybersecurity-related organizations including commercial security tool vendors, academia, research institutions, government departments and agencies, and other prominent security experts, as well as end-users of vulnerability information."
- }
+ "content": "The CVE Board is the organization responsible for the strategic direction, governance, operational structure, policies, and rules of the CVE Program. The Board includes members from numerous cybersecurity-related organizations including commercial security tool vendors, academia, research institutions, government departments and agencies, and other prominent security experts, as well as end-users of vulnerability information."
+ }
]
},
{
@@ -4224,11 +4624,11 @@
"date": "2023-12-19",
"description": [
{
- "contentnewsType": "paragraph",
+ "contentnewsType": "paragraph",
"content": "The CVE Board held a teleconference meeting on November 29, 2023. Read the meeting minutes."
},
{
- "contentnewsType": "paragraph",
+ "contentnewsType": "paragraph",
"content": "The CVE Board is the organization responsible for the strategic direction, governance, operational structure, policies, and rules of the CVE Program. The Board includes members from numerous cybersecurity-related organizations including commercial security tool vendors, academia, research institutions, government departments and agencies, and other prominent security experts, as well as end-users of vulnerability information."
}
]
@@ -4340,7 +4740,7 @@
"date": "2023-12-05",
"description": [
{
- "contentnewsType": "paragraph",
+ "contentnewsType": "paragraph",
"content": "The CVE Program is now on Mastodon! Please follow us for program news, new partner announcements, updates on community activities, and more at https://mastodon.social/@CVE_Program."
},
{
@@ -4498,12 +4898,12 @@
"content": "
MIM Software Inc.: MIM software products, platforms, and services as well as vulnerabilities reported to MIM Software in third-party components or libraries used by MIM Software products, platforms, and services not covered by another CNA (USA)
Mandiant Inc.: Vulnerabilities in Mandiant products or discovered by Mandiant while performing vulnerability research or security assessments, unless covered by another CNA’s scope (USA)
Mandiant Inc.: Vulnerabilities in Mandiant products or discovered by Mandiant while performing vulnerability research or security assessments, unless covered by another CNA’s scope (USA)
Canon EMEA: Canon EMEA internally developed services and solutions as well as NT-ware, IRIS, and Therefore (UK)
CERT.PL: Vulnerabilities in software discovered by CERT.PL, and vulnerabilities reported to CERT.PL for coordinated disclosure, which are not in another CNA’s scope (Poland)
Phoenix Technologies, Inc.: All Phoenix Technologies products (supported products and end-of-life/end-of-service products), as well as vulnerabilities in third-party software discovered by Phoenix Technologies that are not in another CNA’s scope (USA)
Progress Software Corporation: Vulnerabilities in software published and maintained by Progress Software Corporation (USA)
Securin: Vulnerabilities found in Securin products and services (including end-of-life/end-of-service products), as well as vulnerabilities in third-party software discovered by Securin that are not in another CNA’s scope (USA)
SoftIron: SoftIron HyperCloud branded products and technologies only (USA)
CISA Top-Level Root: Vulnerabilities that are (1) reported to or observed by CISA and (2) affect critical infrastructure, U.S. civilian government, industrial control systems, or medical devices, and (3) are not covered by another CNA’s scope
CISA ICS Root: Vulnerabilities that are (1) reported to or observed by CISA, (2) affect industrial control systems or medical devices, and (3) are not covered by another CNA’s scope
MITRE Top-Level Root: Vulnerabilities, and Open-Source software product vulnerabilities, not already covered by a CNA listed on this website
Red Hat Root: The entire open-source community. Any open-source organizations that prefers Red Hat as their Root; organizations are free to choose another Root if it suits them better
"
+ "content": "
CISA Top-Level Root: Vulnerabilities that are (1) reported to or observed by CISA and (2) affect critical infrastructure, U.S. civilian government, industrial control systems, or medical devices, and (3) are not covered by another CNA’s scope
CISA ICS Root: Vulnerabilities that are (1) reported to or observed by CISA, (2) affect industrial control systems or medical devices, and (3) are not covered by another CNA’s scope
MITRE Top-Level Root: Vulnerabilities, and Open-Source software product vulnerabilities, not already covered by a CNA listed on this website
Red Hat Root: The Red Hat Root’s scope includes the open-source community. Any open-source organizations that prefer Red Hat as their Root; organizations are free to choose another Root if it suits them better
"
},
{
"contentnewsType": "paragraph",
@@ -4670,11 +5086,11 @@
"date": "2023-11-28",
"description": [
{
- "contentnewsType": "paragraph",
+ "contentnewsType": "paragraph",
"content": "The CVE Board held a teleconference meeting on November 8, 2023. Read the meeting minutes."
},
{
- "contentnewsType": "paragraph",
+ "contentnewsType": "paragraph",
"content": "The CVE Board is the organization responsible for the strategic direction, governance, operational structure, policies, and rules of the CVE Program. The Board includes members from numerous cybersecurity-related organizations including commercial security tool vendors, academia, research institutions, government departments and agencies, and other prominent security experts, as well as end-users of vulnerability information."
}
]
@@ -4805,11 +5221,11 @@
"date": "2023-10-31",
"description": [
{
- "contentnewsType": "paragraph",
+ "contentnewsType": "paragraph",
"content": "The CVE Board held a teleconference meeting on October 11, 2023. Read the meeting minutes."
},
{
- "contentnewsType": "paragraph",
+ "contentnewsType": "paragraph",
"content": "The CVE Board is the organization responsible for the strategic direction, governance, operational structure, policies, and rules of the CVE Program. The Board includes members from numerous cybersecurity-related organizations including commercial security tool vendors, academia, research institutions, government departments and agencies, and other prominent security experts, as well as end-users of vulnerability information."
}
]
@@ -4891,7 +5307,7 @@
},
"title": "",
"bio": ""
- },
+ },
"description": [
{
"contentnewsType": "paragraph",
@@ -5049,11 +5465,11 @@
"date": "2023-10-17",
"description": [
{
- "contentnewsType": "paragraph",
+ "contentnewsType": "paragraph",
"content": "The CVE Board held a teleconference meeting on September 27, 2023. Read the meeting minutes."
},
{
- "contentnewsType": "paragraph",
+ "contentnewsType": "paragraph",
"content": "The CVE Board is the organization responsible for the strategic direction, governance, operational structure, policies, and rules of the CVE Program. The Board includes members from numerous cybersecurity-related organizations including commercial security tool vendors, academia, research institutions, government departments and agencies, and other prominent security experts, as well as end-users of vulnerability information."
}
]
@@ -5218,11 +5634,11 @@
"date": "2023-09-26",
"description": [
{
- "contentnewsType": "paragraph",
+ "contentnewsType": "paragraph",
"content": "The CVE Board held a teleconference meeting on September 13, 2023. Read the meeting minutes."
},
{
- "contentnewsType": "paragraph",
+ "contentnewsType": "paragraph",
"content": "The CVE Board is the organization responsible for the strategic direction, governance, operational structure, policies, and rules of the CVE Program. The Board includes members from numerous cybersecurity-related organizations including commercial security tool vendors, academia, research institutions, government departments and agencies, and other prominent security experts, as well as end-users of vulnerability information."
}
]
@@ -5277,11 +5693,11 @@
"date": "2023-09-19",
"description": [
{
- "contentnewsType": "paragraph",
+ "contentnewsType": "paragraph",
"content": "The CVE Board held a teleconference meeting on August 30, 2023. Read the meeting minutes."
},
{
- "contentnewsType": "paragraph",
+ "contentnewsType": "paragraph",
"content": "The CVE Board is the organization responsible for the strategic direction, governance, operational structure, policies, and rules of the CVE Program. The Board includes members from numerous cybersecurity-related organizations including commercial security tool vendors, academia, research institutions, government departments and agencies, and other prominent security experts, as well as end-users of vulnerability information."
}
]
@@ -5420,15 +5836,15 @@
"date": "2023-08-29",
"description": [
{
- "contentnewsType": "paragraph",
+ "contentnewsType": "paragraph",
"content": "The CVE Program welcomes innovative ideas and new feature requests from the community in our CVE Program Ideas repository on GitHub.com. We encourage you to submit any suggestions you may have to enhance the CVE Program and help us better serve the broader community."
},
{
- "contentnewsType": "paragraph",
+ "contentnewsType": "paragraph",
"content": "Submissions could include programmatic rule/policy suggestions, innovative automation features to support more efficient CVE Record publication and use, or any other ideas you might have."
},
{
- "contentnewsType": "paragraph",
+ "contentnewsType": "paragraph",
"content": "Please note that this new repository will be used exclusively to receive and manage innovative idea suggestions and new feature requests for the overall CVE Program. It is not meant to replace previously established bug and issue trackers for the CVE Website-, CVE Services-, or CVE JSON 5.0 schema-related issues."
},
{
@@ -5436,11 +5852,11 @@
"content": "
Making a Submission
"
},
{
- "contentnewsType": "paragraph",
+ "contentnewsType": "paragraph",
"content": "Follow the steps below to submit your innovative idea or new program feature request on GitHub. You will need a GitHub account to make a submission."
},
{
- "contentnewsType": "paragraph",
+ "contentnewsType": "paragraph",
"content": "
Click the “New Issue” button in the upper-right corner of the page to launch the “CVE Program New Automation Feature Request” page.
Click the “Get started” button to launch the new issue template.
In the “Title” field, enter a title that briefly describes your innovative idea or suggested feature.
In the “Write” field, follow the instructions provided in the template to add more details.
Once your submission is complete, click the “Submit new issue” button at the bottom of the form.
"
},
{
@@ -5451,7 +5867,7 @@
"captionText": "CVE Program Issue Tracker Template"
},
{
- "contentnewsType": "paragraph",
+ "contentnewsType": "paragraph",
"content": "Important: Please do not select any of the options in the right-hand column next to the form (not shown in above image). Those options will be used by the CVE Program to manage the submissions."
},
{
@@ -5459,11 +5875,11 @@
"content": "
Processing of Submissions
"
},
{
- "contentnewsType": "paragraph",
+ "contentnewsType": "paragraph",
"content": "Once your submission is received by the CVE Program, it will be reviewed by the CVE Board (or its designated working group). The disposition of all innovative ideas and new program feature requests can be tracked on the CVE Program Innovative Ideas/Feature Tracker. Questions about this initiative should be sent to the CVE Automation Working Group (AWG) at awg@cve-cwe-programs.groups.io."
},
{
- "contentnewsType": "paragraph",
+ "contentnewsType": "paragraph",
"content": "We look forward to hearing from you!"
}
]
@@ -5476,11 +5892,11 @@
"date": "2023-08-29",
"description": [
{
- "contentnewsType": "paragraph",
+ "contentnewsType": "paragraph",
"content": "The CVE Board held a teleconference meeting on August 16, 2023. Read the meeting minutes."
},
{
- "contentnewsType": "paragraph",
+ "contentnewsType": "paragraph",
"content": "The CVE Board is the organization responsible for the strategic direction, governance, operational structure, policies, and rules of the CVE Program. The Board includes members from numerous cybersecurity-related organizations including commercial security tool vendors, academia, research institutions, government departments and agencies, and other prominent security experts, as well as end-users of vulnerability information."
}
]
@@ -5526,12 +5942,12 @@
"content": "
AMI: Vulnerabilities that affect AMI firmware and software products (USA)
Biohacking Village: Vulnerabilities discovered by researchers in collaboration with Biohacking Village, with approval of Biohacking Village’s sponsors, that are not in another CNA’s scope (USA)
Google Devices: Google Devices - Pixel, Nest, and Chromecast (USA)
"
},
{
"contentnewsType": "paragraph",
@@ -5617,9 +6033,15 @@
"contentnewsType": "table",
"title": "",
"year": "2023",
- "quarter": ["Q1","Q2"],
+ "quarter": [
+ "Q1",
+ "Q2"
+ ],
"dataRowTitle": "CVE Records Published by All CNAs",
- "dataRowCounts": ["7,015","7,134"]
+ "dataRowCounts": [
+ "7,015",
+ "7,134"
+ ]
},
{
"contentnewsType": "paragraph",
@@ -5633,9 +6055,15 @@
"contentnewsType": "table",
"title": "",
"year": "2023",
- "quarter": [ "Q1","Q2"],
+ "quarter": [
+ "Q1",
+ "Q2"
+ ],
"dataRowTitle": "CVE IDs Reserved by All CNAs",
- "dataRowCounts": ["9,126","10,244"]
+ "dataRowCounts": [
+ "9,126",
+ "10,244"
+ ]
},
{
"contentnewsType": "paragraph",
@@ -5795,11 +6223,11 @@
"date": "2023-08-01",
"description": [
{
- "contentnewsType": "paragraph",
+ "contentnewsType": "paragraph",
"content": "The CVE Board held a teleconference meeting on July 19, 2023. Read the meeting minutes."
},
{
- "contentnewsType": "paragraph",
+ "contentnewsType": "paragraph",
"content": "The CVE Board is the organization responsible for the strategic direction, governance, operational structure, policies, and rules of the CVE Program. The Board includes members from numerous cybersecurity-related organizations including commercial security tool vendors, academia, research institutions, government departments and agencies, and other prominent security experts, as well as end-users of vulnerability information."
}
]
@@ -5818,7 +6246,7 @@
},
"title": "",
"bio": ""
- },
+ },
"description": [
{
"contentnewsType": "paragraph",
@@ -5953,11 +6381,11 @@
"date": "2023-07-18",
"description": [
{
- "contentnewsType": "paragraph",
+ "contentnewsType": "paragraph",
"content": "The CVE Board held a teleconference meeting on June 21, 2023. Read the meeting minutes."
},
{
- "contentnewsType": "paragraph",
+ "contentnewsType": "paragraph",
"content": "The CVE Board is the organization responsible for the strategic direction, governance, operational structure, policies, and rules of the CVE Program. The Board includes members from numerous cybersecurity-related organizations including commercial security tool vendors, academia, research institutions, government departments and agencies, and other prominent security experts, as well as end-users of vulnerability information."
}
]
@@ -5970,15 +6398,15 @@
"date": "2023-07-18",
"description": [
{
- "contentnewsType": "paragraph",
+ "contentnewsType": "paragraph",
"content": "Subscribe to the CVE Program’s free email newsletter to receive information and updates directly in your mailbox."
},
{
- "contentnewsType": "paragraph",
+ "contentnewsType": "paragraph",
"content": "CVE Announce provides general news about the CVE Program such as new CNAs, new website features, events, etc., directly to your email inbox. Messages are sent infrequently, once a month or less."
},
{
- "contentnewsType": "paragraph",
+ "contentnewsType": "paragraph",
"content": "Sign-up here."
}
]
@@ -6060,7 +6488,7 @@
},
"title": "",
"bio": ""
- },
+ },
"description": [
{
"contentnewsType": "paragraph",
@@ -6295,11 +6723,11 @@
"date": "2023-06-13",
"description": [
{
- "contentnewsType": "paragraph",
+ "contentnewsType": "paragraph",
"content": "The CVE Board held a teleconference meeting on May 24, 2023. Read the meeting minutes."
},
{
- "contentnewsType": "paragraph",
+ "contentnewsType": "paragraph",
"content": "The CVE Board is the organization responsible for the strategic direction, governance, operational structure, policies, and rules of the CVE Program. The Board includes members from numerous cybersecurity-related organizations including commercial security tool vendors, academia, research institutions, government departments and agencies, and other prominent security experts, as well as end-users of vulnerability information."
}
]
@@ -6339,7 +6767,7 @@
},
"title": "",
"bio": ""
- },
+ },
"description": [
{
"contentnewsType": "paragraph",
@@ -6374,12 +6802,12 @@
"content": "
Austin Hackers Anonymous (AHA!) for vulnerabilities in the AHA! website and other AHA! controlled assets, as well as vulnerabilities identified in assets owned, operated, or maintained by another organization unless covered by the scope of another CNA (USA)
Exodus Intelligence for vulnerabilities discovered by Exodus Intelligence as well as acquisitions from independent researchers via its Research Sponsorship Program (RSP) (USA)
Genetec Inc. for Genetec products and solutions only (Canada)
IDEMIA for all IDEMIA products (supported products and end-of-life/end-of-service products), as well as vulnerabilities in third-party software discovered by IDEMIA that are not in another CNA’s scope (France)
Liferay, Inc. for all Liferay supported products and end-of-life/end-of-service products (USA)
National Instruments for NI products only (including National Instruments) (USA)
Open-Xchange for products and services provided by Open-Xchange, PowerDNS, and Dovecot (Germany)
Securifera, Inc. for vulnerabilities in vendor products discovered by Securifera, or related parties, while performing vulnerability research or security assessments (USA)
ServiceNow for all ServiceNow products (supported products and end-of-life/end-of-service products), as well as vulnerabilities in third-party software discovered by ServiceNow that are not in another CNA’s scope (USA)
Shop Beat Solutions (Pty) LTD for vulnerabilities in Shop Beat products and services and vulnerabilities discovered by Shop Beat unless covered by the scope of another CNA (South Africa)
STAR Labs SG Pte. Ltd. for vulnerabilities discovered by STAR Labs SG that are not in another CNA’s scope (Singapore)
Glyph & Cog, LLC for Xpdf open-source project, including the xpdf viewer and associated command line tools (USA)
"
},
{
"contentnewsType": "paragraph",
@@ -6453,9 +6881,13 @@
"contentnewsType": "table",
"title": "",
"year": "2023",
- "quarter": ["Q1"],
+ "quarter": [
+ "Q1"
+ ],
"dataRowTitle": "CVE Records Published by All CNAs",
- "dataRowCounts": ["7,015"]
+ "dataRowCounts": [
+ "7,015"
+ ]
},
{
"contentnewsType": "paragraph",
@@ -6469,9 +6901,13 @@
"contentnewsType": "table",
"title": "",
"year": "2023",
- "quarter": [ "Q1"],
+ "quarter": [
+ "Q1"
+ ],
"dataRowTitle": "CVE IDs Reserved by All CNAs",
- "dataRowCounts": ["9,126"]
+ "dataRowCounts": [
+ "9,126"
+ ]
},
{
"contentnewsType": "paragraph",
@@ -6656,11 +7092,11 @@
"date": "2023-05-16",
"description": [
{
- "contentnewsType": "paragraph",
+ "contentnewsType": "paragraph",
"content": "The CVE Board held a teleconference meeting on May 3, 2023. Read the meeting minutes."
},
{
- "contentnewsType": "paragraph",
+ "contentnewsType": "paragraph",
"content": "The CVE Board is the organization responsible for the strategic direction, governance, operational structure, policies, and rules of the CVE Program. The Board includes members from numerous cybersecurity-related organizations including commercial security tool vendors, academia, research institutions, government departments and agencies, and other prominent security experts, as well as end-users of vulnerability information."
}
]
@@ -6678,58 +7114,58 @@
},
"title": "",
"bio": ""
- },
+ },
"description": [
{
- "contentnewsType": "paragraph",
+ "contentnewsType": "paragraph",
"content": "Members of the CVE community recently convened, both in-person and virtually, for the “CVE Global Summit Spring 2023” to discuss CVE and cybersecurity, best practices, lessons learned, new opportunities, and more."
},
{
- "contentnewsType": "paragraph",
+ "contentnewsType": "paragraph",
"content": "The CVE Program holds global summits twice per year, in the spring and fall. Summit participants include representatives from CVE Numbering Authorities (CNAs), CVE Board members, and CVE Working Group (WG) participants. Members of the wider cybersecurity community are welcome to participate by requesting to join one or more of these three CVE Working Groups — Automation, Outreach and Communications, and Quality — to help shape CVE work flows and processes, as well as to attend future global summits."
},
{
- "contentnewsType": "paragraph",
+ "contentnewsType": "paragraph",
"content": "
A Collaborative Community Event Focused on Improving CVE
"
},
{
- "contentnewsType": "paragraph",
+ "contentnewsType": "paragraph",
"content": "The summit is a way for the community to regularly collaborate on specific topics in a focused manner. Discussions are always informative, and many sessions result in lively and interesting discussion among community members. Sessions focused on lessons learned benefit CNAs and all community members by providing useful takeaways, while sessions focused on real-world challenges often result in creative recommendations from community member that directly impact and enhance the CVE Program."
},
{
- "contentnewsType": "paragraph",
+ "contentnewsType": "paragraph",
"content": "Topics the community discussed at the “CVE Global Summit Spring 2023” included:"
},
{
- "contentnewsType": "paragraph",
+ "contentnewsType": "paragraph",
"content": "Day 1"
},
{
- "contentnewsType": "paragraph",
+ "contentnewsType": "paragraph",
"content": "
Introduction & State of the CVE Program – Current status, improvements, and other advancements that the program has made in advancing a federated system to enable CVE to scale into the future.
How Red Hat’s Root is supporting Open Source CVE Needs – The process and approaches the Red Hat Root is using to enable the open-source community by supporting CNAs and CVE assignments.
Mentoring CNAs & Helping Improve the World – How to become a CNA mentor (if you qualify) and how CNAs can get help when needed.
Short-Term Priorities That Will Impact the Program – The CVE Board’s priorities for the program and an open discussion on how those priorities will affect and benefit the CNA community.
The Problem of Archiving for Posterity – Archiving options for reference links.
CVE Services Update - Where We Are Now & What You Need to Know – CVE Services Goal Architecture (and where we are); CVE Services & CVE Record Submission and Upload Service (RSUS) Overview; Using RSUS via a CVE-Community Developed “Client”; Adopting CVE JSON 5.0: Lessons Learned; New CVE List “Bulk Download” Capability; and CVE Services 2.x/JSON 5.0 Hard Deploy Update.
Program Rules Update – Focused on the expected changes to the CNA Rules document that govern the CNA world, including the impact of automation and the addition of active cloud support.
Hierarchy Collaboration and Management – A discussion about the emergence of the Council of Roots, including what it is, how it works, and the concerns of the Top-Level Roots and Roots.
Staying on Your Side of the Fence – Avoiding scope clash, coordinating CVE “race conditions” between research CNAs, and other various problem scenarios.
CVE Authorized Data Publisher (ADP) Pilot – Current status and thinking on the role of the ADP in the CVE Program, including plans for implementing the initial pilots and for the capability moving forward.
CVE Website Improvement – Status and future direction of the CVE.ORG website.
Open Discussion on Program Topics – Moderated discussions about a variety of topics of concern to the assembled CNAs.
"
},
{
- "contentnewsType": "paragraph",
+ "contentnewsType": "paragraph",
"content": "We thank everyone who participated in this two-day, in-person/virtual event."
},
{
- "contentnewsType": "paragraph",
+ "contentnewsType": "paragraph",
"content": "
Interested in Joining the CVE Community?
"
},
{
- "contentnewsType": "paragraph",
+ "contentnewsType": "paragraph",
"content": "You can become a member of the CVE community by joining a Working Group or by encouraging your organization to partner with the CVE Program as a CNA. CVE Working Groups that welcome members of the general public include Automation, Outreach and Communications, and Quality."
},
{
- "contentnewsType": "paragraph",
+ "contentnewsType": "paragraph",
"content": "To start the process, please use the CVE Program Request forms and select “Other” from the dropdown menu to express how you’d like to be involved. We look forward to hearing from you!"
}
]
@@ -6742,11 +7178,11 @@
"date": "2023-05-09",
"description": [
{
- "contentnewsType": "paragraph",
+ "contentnewsType": "paragraph",
"content": "The CVE Board held a teleconference meeting on April 12, 2023. Read the meeting minutes."
},
{
- "contentnewsType": "paragraph",
+ "contentnewsType": "paragraph",
"content": "The CVE Board is the organization responsible for the strategic direction, governance, operational structure, policies, and rules of the CVE Program. The Board includes members from numerous cybersecurity-related organizations including commercial security tool vendors, academia, research institutions, government departments and agencies, and other prominent security experts, as well as end-users of vulnerability information."
}
]
@@ -6822,7 +7258,7 @@
"date": "2023-04-25",
"description": [
{
- "contentnewsType": "paragraph",
+ "contentnewsType": "paragraph",
"content": "The CVE website now contains 200,895 CVE Records, each of which identifies and defines a publicly disclosed cybersecurity vulnerability. CVE, an international community effort, began in 1999 with just 321 common records on the CVE List."
},
{
@@ -6830,7 +7266,7 @@
"content": "CVE Records are published by organizations from around the world that have partnered with the CVE Program as a CVE Numbering Authority (CNA). CNAs join the program from a variety of business sectors; there are minimal requirements, and there is no monetary fee or contract to sign. To date, 287 organizations from 36 countries have partnered with the CVE Program and are actively publishing CVE Records."
},
{
- "contentnewsType": "paragraph",
+ "contentnewsType": "paragraph",
"content": "Information technology and cybersecurity professionals use CVE Records to ensure they are discussing the same issue, and to coordinate their efforts to prioritize and address the vulnerabilities."
}
]
@@ -6843,7 +7279,7 @@
"date": "2023-04-25",
"description": [
{
- "contentnewsType": "paragraph",
+ "contentnewsType": "paragraph",
"content": "The CVE Board held a teleconference meeting on March 29, 2023. Read the meeting minutes."
},
{
@@ -6997,11 +7433,11 @@
"date": "2023-04-04",
"description": [
{
- "contentnewsType": "paragraph",
+ "contentnewsType": "paragraph",
"content": "The CVE Board held a teleconference meeting on March 15, 2023. Read the meeting minutes."
},
{
- "contentnewsType": "paragraph",
+ "contentnewsType": "paragraph",
"content": "The CVE Board is the organization responsible for the strategic direction, governance, operational structure, policies, and rules of the CVE Program. The Board includes members from numerous cybersecurity-related organizations including commercial security tool vendors, academia, research institutions, government departments and agencies, and other prominent security experts, as well as end-users of vulnerability information."
}
]
@@ -7020,7 +7456,7 @@
},
"title": "",
"bio": ""
- },
+ },
"description": [
{
"contentnewsType": "paragraph",
@@ -7108,7 +7544,7 @@
}
]
},
- {
+ {
"id": 189,
"newsType": "news",
"title": "CyberDanube Added as CVE Numbering Authority (CNA)",
@@ -7236,7 +7672,7 @@
"date": "2023-03-28",
"description": [
{
- "contentnewsType": "paragraph",
+ "contentnewsType": "paragraph",
"content": "The CVE Board held a teleconference meeting on March 1, 2023. Read the meeting minutes."
},
{
@@ -7296,18 +7732,18 @@
"description": [
{
"contentnewsType": "paragraph",
- "content": "Kris Britton of the CVE Program speaks with Lisa Olson of Microsoft about Microsoft’s journey adopting the new CVE Services and CVE JSON 5.0 into their vulnerability management infrastructure and how they used them for the first time as part of Microsoft’s February 2023 Patch Tuesday."
+ "content": "Kris Britton of the CVE Program speaks with Lisa Olson of Microsoft about Microsoft’s journey adopting the new CVE Services and CVE JSON 5.0 into their vulnerability management infrastructure and how they used them for the first time as part of Microsoft’s February 2023 Patch Tuesday."
},
{
"contentnewsType": "paragraph",
- "content": "Discussion topics include the CVE JSON 5.0 schema mind map and other schema resources on GitHub; reviewing CVE JSON 5.0 records on the CVE.ORG website; using Vulnogram, or one of the other CVE Services clients, for creating, editing, and reviewing CVE JSON 5.0 records; leveraging the CVE Services Test Environment (learn more here); how separate credentials are required for the official CVE Services and the CVE Services Test Environment; learning about CVE Services and CVE JSON 5.0 updates by attending Automation Working Group (AWG), Quality Working Group (QWG), and CNA Coordination Working Group (CNACWG) meetings; leveraging the CVE Services Slack channel for support; and more."
+ "content": "Discussion topics include the CVE JSON 5.0 schema mind map and other schema resources on GitHub; reviewing CVE JSON 5.0 records on the CVE.ORG website; using Vulnogram, or one of the other CVE Services clients, for creating, editing, and reviewing CVE JSON 5.0 records; leveraging the CVE Services Test Environment (learn more here); how separate credentials are required for the official CVE Services and the CVE Services Test Environment; learning about CVE Services and CVE JSON 5.0 updates by attending Automation Working Group (AWG), Quality Working Group (QWG), and CNA Coordination Working Group (CNACWG) meetings; leveraging the CVE Services Slack channel for support; and more."
},
{
"contentnewsType": "paragraph",
- "content": "Resources mentioned in the podcast:
"
},
{
- "contentnewsType": "paragraph",
+ "contentnewsType": "paragraph",
"content": "“We Speak CVE” is a free podcast about cybersecurity, vulnerability management, and the CVE Program. Listen on the CVE Program Channel on YouTube, on We Speak CVE page on Buzzsprout, and on major podcast directories such as Spotify, Stitcher, Google Podcasts, Apple Podcasts, iHeartRadio, Podcast Addict, Podchaser, Pocket Casts, Deezer, Listen Notes, Player FM, and Podcast Index, among others."
}
],
@@ -7327,7 +7763,7 @@
},
"title": "",
"bio": ""
- },
+ },
"description": [
{
"contentnewsType": "paragraph",
@@ -7362,20 +7798,20 @@
"content": "
Baidu, Inc. for projects listed on Baidu’s PaddlePaddle GitHub website only (China)
Bugcrowd Inc. for vulnerabilities discovered by researchers in collaboration with Bugcrowd, with approval of Bugcrowd’s clients, and not in the scope of another CNA (USA)
CyberArk Labs for vulnerabilities discovered by CyberArk Labs that are not in another CNA’s scope (Israel)
Docker Inc. for all Docker products, including Docker Desktop and Docker Hub, as well as Docker maintained open-source projects (USA)
Dual Vipers LLC for Dual Vipers projects and products (both open and closed source), as well as vulnerabilities in third-party software discovered by Dual Vipers that are not in another CNA’s scope (USA)
Grafana Labs for all Grafana Labs open source and commercial products (USA)
Green Rocket Security Inc. for Green Rocket Security products including EOL unless covered by another CNA’s scope (USA)
HashiCorp Inc. for all HashiCorp products and projects unless covered by another CNA’s scope (USA)
Honor Device Co., Ltd. for vulnerabilities in Honor products and services unless covered by the scope of another CNA (China)
KrakenD, S.L. for KrakenD EE, KrakenD CE, and Lura issues only (Spain)
National Cyber Security Centre SK-CERT for vulnerabilities in software discovered by National Cyber Security Centre SK-CERT, and vulnerabilities reported to National Cyber Security Centre SK-CERT for coordinated disclosure, which are not in another CNA’s scope (Slovak Republic)
OpenCloudOS Community for OpenCloud OS issues only, not including EOL products, unless covered by another CNA’s scope (China)
Qualys, Inc. for all Qualys products and vulnerabilities discovered by Qualys that are not covered by another CNA’s scope (USA)
Seagate Technology for any Seagate or LaCie software or hardware, open or closed source, supported and end of life, as well as any vulnerabilities in third-party software discovered by Seagate that are not in another CNA’s scope (USA)
senhasegura for vulnerabilities in senhasegura products, and other vulnerabilities discovered by senhasegura that are not in another CNA’s scope (Brazil)
Tribe29 GmbH for all products of Tribe29 including Checkmk and Checkmk Appliance (Germany)
Zowe for vulnerabilities in Zowe.org open-source projects (USA)
Canon Inc. for vulnerabilities in products and services designed and developed by Canon Inc. (Japan)
"
},
{
"contentnewsType": "paragraph",
@@ -7418,7 +7854,7 @@
"content": "In October, as part of the soft deploy (see above), the CVE Program officially transitioned to the new format for CVE Records—CVE JSON 5.0—on the beta cve.org website. CVE JSON 5.0 is a richer, more structured format for vulnerability identification and description. During the CVE Program’s transition period from CVE JSON 4.0 to CVE JSON 5.0, CVE Records may still be viewed in CVE JSON 4.0 format on the CVE List GitHub pilot website while the existing CVE List download formats will continue to be available on the legacy cve.mitre.org website until they are phased out in the first half of 2024. Downloads in CVE JSON 5.0 format will be introduced on this website in 2023 (see CVE List Download Formats Are Changing (Updated) for additional information)."
},
{
- "contentnewsType": "paragraph",
+ "contentnewsType": "paragraph",
"content": "
Mentoring for New CNAs
"
},
{
@@ -7449,9 +7885,19 @@
"contentnewsType": "table",
"title": "",
"year": "2022",
- "quarter": ["Q1", "Q2", "Q3", "Q4"],
+ "quarter": [
+ "Q1",
+ "Q2",
+ "Q3",
+ "Q4"
+ ],
"dataRowTitle": "CVE Records Published by All CNAs",
- "dataRowCounts": ["6,015", "6,365", "6,448", "6,231"]
+ "dataRowCounts": [
+ "6,015",
+ "6,365",
+ "6,448",
+ "6,231"
+ ]
},
{
"contentnewsType": "paragraph",
@@ -7465,9 +7911,19 @@
"contentnewsType": "table",
"title": "",
"year": "2022",
- "quarter": [ "Q1", "Q2", "Q3", "Q4"],
+ "quarter": [
+ "Q1",
+ "Q2",
+ "Q3",
+ "Q4"
+ ],
"dataRowTitle": "CVE IDs Reserved by All CNAs",
- "dataRowCounts": ["8,030", "7,922", "8,325", "10,276"]
+ "dataRowCounts": [
+ "8,030",
+ "7,922",
+ "8,325",
+ "10,276"
+ ]
},
{
"contentnewsType": "paragraph",
@@ -7708,11 +8164,11 @@
"date": "2023-02-14",
"description": [
{
- "contentnewsType": "paragraph",
+ "contentnewsType": "paragraph",
"content": "The CVE Board held a teleconference meeting on February 1, 2023. Read the meeting minutes."
},
{
- "contentnewsType": "paragraph",
+ "contentnewsType": "paragraph",
"content": "The CVE Board is the organization responsible for the strategic direction, governance, operational structure, policies, and rules of the CVE Program. The Board includes members from numerous cybersecurity-related organizations including commercial security tool vendors, academia, research institutions, government departments and agencies, and other prominent security experts, as well as end-users of vulnerability information."
}
]
@@ -8001,7 +8457,7 @@
{
"contentnewsType": "paragraph",
"content": "The CVE Program and other industry coordination groups will play a key role in this evolution."
- },
+ },
{
"contentnewsType": "paragraph",
"content": "For all the reasons stated above, we believe the Red Hat Root is an excellent choice for open-source projects and existing CNAs with open-source offerings. Please email us at RootCNA-Coordination@redhat.com to discuss how working with Red Hat as your Root will specifically benefit your project’s or organization’s management of its CVE Records."
@@ -8142,7 +8598,7 @@
},
"title": "",
"bio": ""
- },
+ },
"description": [
{
"contentnewsType": "paragraph",
@@ -8156,15 +8612,15 @@
"contentnewsType": "paragraph",
"content": "
Dragos, Inc. for Dragos products and third-party products it researches related to operational technology (OT)/industrial control systems (ICS) not covered by another CNA (USA)
RedHat for any open-source organizations that prefers Red Hat as their Root; organizations are free to choose another Root if it suits them better (Root)
"
@@ -8353,131 +8825,131 @@
"description": [
{
"contentnewsType": "paragraph",
- "content": "The CVE Board held a teleconference meeting on November 30, 2022. Read the meeting minutes."
+ "content": "The CVE Board held a teleconference meeting on November 30, 2022. Read the meeting minutes."
+ },
+ {
+ "contentnewsType": "paragraph",
+ "content": "The CVE Board is the organization responsible for the strategic direction, governance, operational structure, policies, and rules of the CVE Program. The Board includes members from numerous cybersecurity-related organizations including commercial security tool vendors, academia, research institutions, government departments and agencies, and other prominent security experts, as well as end-users of vulnerability information."
+ }
+ ]
+ },
+ {
+ "id": 153,
+ "newsType": "news",
+ "title": "Baidu Added as CVE Numbering Authority (CNA)",
+ "date": "2022-11-29",
+ "description": [
+ {
+ "contentnewsType": "paragraph",
+ "content": "Baidu, Inc. is now a CVE Numbering Authority (CNA) for projects listed on Baidu’s PaddlePaddle GitHub website only."
+ },
+ {
+ "contentnewsType": "paragraph",
+ "content": "To date, 260 organizations from 35 countries have partnered with the CVE Program. CNAs are organizations from around the world that are authorized to assign CVE Identifiers (CVE IDs) to vulnerabilities affecting products within their distinct, agreed-upon scope, for inclusion in first-time public announcements of new vulnerabilities."
+ },
+ {
+ "contentnewsType": "paragraph",
+ "content": "Baidu’s Root is the MITRE Top-Level Root."
+ }
+ ]
+ },
+ {
+ "id": 152,
+ "newsType": "news",
+ "title": "Minutes from CVE Board Teleconference Meeting on November 9 Now Available",
+ "date": "2022-11-29",
+ "description": [
+ {
+ "contentnewsType": "paragraph",
+ "content": "The CVE Board held a teleconference meeting on November 9, 2022. Read the meeting minutes."
+ },
+ {
+ "contentnewsType": "paragraph",
+ "content": "The CVE Board is the organization responsible for the strategic direction, governance, operational structure, policies, and rules of the CVE Program. The Board includes members from numerous cybersecurity-related organizations including commercial security tool vendors, academia, research institutions, government departments and agencies, and other prominent security experts, as well as end-users of vulnerability information."
+ }
+ ]
+ },
+ {
+ "id": 151,
+ "newsType": "news",
+ "title": "Proofpoint Added as CVE Numbering Authority (CNA)",
+ "date": "2022-11-22",
+ "description": [
+ {
+ "contentnewsType": "paragraph",
+ "content": "Proofpoint Inc. is now a CVE Numbering Authority (CNA) for all Proofpoint products."
},
{
"contentnewsType": "paragraph",
- "content": "The CVE Board is the organization responsible for the strategic direction, governance, operational structure, policies, and rules of the CVE Program. The Board includes members from numerous cybersecurity-related organizations including commercial security tool vendors, academia, research institutions, government departments and agencies, and other prominent security experts, as well as end-users of vulnerability information."
+ "content": "To date, 259 organizations from 35 countries have partnered with the CVE Program. CNAs are organizations from around the world that are authorized to assign CVE Identifiers (CVE IDs) to vulnerabilities affecting products within their distinct, agreed-upon scope, for inclusion in first-time public announcements of new vulnerabilities."
+ },
+ {
+ "contentnewsType": "paragraph",
+ "content": "Proofpoint’s Root is the MITRE Top-Level Root."
}
]
},
{
- "id": 153,
+ "id": 150,
"newsType": "news",
- "title": "Baidu Added as CVE Numbering Authority (CNA)",
- "date": "2022-11-29",
+ "title": "Docker Added as CVE Numbering Authority (CNA)",
+ "date": "2022-11-22",
"description": [
{
"contentnewsType": "paragraph",
- "content": "Baidu, Inc. is now a CVE Numbering Authority (CNA) for projects listed on Baidu’s PaddlePaddle GitHub website only."
+ "content": "Docker Inc. is now a CVE Numbering Authority (CNA) for all Docker products, including Docker Desktop and Docker Hub, as well as Docker maintained open-source projects."
},
{
"contentnewsType": "paragraph",
- "content": "To date, 260 organizations from 35 countries have partnered with the CVE Program. CNAs are organizations from around the world that are authorized to assign CVE Identifiers (CVE IDs) to vulnerabilities affecting products within their distinct, agreed-upon scope, for inclusion in first-time public announcements of new vulnerabilities."
+ "content": "To date, 258 organizations from 35 countries have partnered with the CVE Program. CNAs are organizations from around the world that are authorized to assign CVE Identifiers (CVE IDs) to vulnerabilities affecting products within their distinct, agreed-upon scope, for inclusion in first-time public announcements of new vulnerabilities."
},
{
"contentnewsType": "paragraph",
- "content": "Baidu’s Root is the MITRE Top-Level Root."
+ "content": "Docker’s Root is the MITRE Top-Level Root."
}
]
},
{
- "id": 152,
+ "id": 149,
"newsType": "news",
- "title": "Minutes from CVE Board Teleconference Meeting on November 9 Now Available",
- "date": "2022-11-29",
+ "title": "wolfSSL Added as CVE Numbering Authority (CNA)",
+ "date": "2022-11-22",
"description": [
{
"contentnewsType": "paragraph",
- "content": "The CVE Board held a teleconference meeting on November 9, 2022. Read the meeting minutes."
+ "content": "wolfSSL Inc. is now a CVE Numbering Authority (CNA) for Transport Layer Security (TLS) and Cryptographic issues found in wolfSSL products."
},
{
"contentnewsType": "paragraph",
- "content": "The CVE Board is the organization responsible for the strategic direction, governance, operational structure, policies, and rules of the CVE Program. The Board includes members from numerous cybersecurity-related organizations including commercial security tool vendors, academia, research institutions, government departments and agencies, and other prominent security experts, as well as end-users of vulnerability information."
+ "content": "To date, 257 organizations from 35 countries have partnered with the CVE Program. CNAs are organizations from around the world that are authorized to assign CVE Identifiers (CVE IDs) to vulnerabilities affecting products within their distinct, agreed-upon scope, for inclusion in first-time public announcements of new vulnerabilities."
+ },
+ {
+ "contentnewsType": "paragraph",
+ "content": "wolfSSL’s Root is the CISA ICS Top-Level Root."
}
]
},
{
- "id": 151,
+ "id": 148,
"newsType": "news",
- "title": "Proofpoint Added as CVE Numbering Authority (CNA)",
+ "title": "Grafana Labs Added as CVE Numbering Authority (CNA)",
"date": "2022-11-22",
"description": [
{
"contentnewsType": "paragraph",
- "content": "Proofpoint Inc. is now a CVE Numbering Authority (CNA) for all Proofpoint products."
+ "content": "Grafana Labs is now a CVE Numbering Authority (CNA) for all Grafana Labs open source and commercial products."
},
{
"contentnewsType": "paragraph",
- "content": "To date, 259 organizations from 35 countries have partnered with the CVE Program. CNAs are organizations from around the world that are authorized to assign CVE Identifiers (CVE IDs) to vulnerabilities affecting products within their distinct, agreed-upon scope, for inclusion in first-time public announcements of new vulnerabilities."
+ "content": "To date, 256 organizations from 35 countries have partnered with the CVE Program. CNAs are organizations from around the world that are authorized to assign CVE Identifiers (CVE IDs) to vulnerabilities affecting products within their distinct, agreed-upon scope, for inclusion in first-time public announcements of new vulnerabilities."
},
{
"contentnewsType": "paragraph",
- "content": "Proofpoint’s Root is the MITRE Top-Level Root."
+ "content": "Grafana Labs’ Root is the MITRE Top-Level Root."
}
]
},
- {
- "id": 150,
- "newsType": "news",
- "title": "Docker Added as CVE Numbering Authority (CNA)",
- "date": "2022-11-22",
- "description": [
- {
- "contentnewsType": "paragraph",
- "content": "Docker Inc. is now a CVE Numbering Authority (CNA) for all Docker products, including Docker Desktop and Docker Hub, as well as Docker maintained open-source projects."
- },
- {
- "contentnewsType": "paragraph",
- "content": "To date, 258 organizations from 35 countries have partnered with the CVE Program. CNAs are organizations from around the world that are authorized to assign CVE Identifiers (CVE IDs) to vulnerabilities affecting products within their distinct, agreed-upon scope, for inclusion in first-time public announcements of new vulnerabilities."
- },
- {
- "contentnewsType": "paragraph",
- "content": "Docker’s Root is the MITRE Top-Level Root."
- }
- ]
- },
- {
- "id": 149,
- "newsType": "news",
- "title": "wolfSSL Added as CVE Numbering Authority (CNA)",
- "date": "2022-11-22",
- "description": [
- {
- "contentnewsType": "paragraph",
- "content": "wolfSSL Inc. is now a CVE Numbering Authority (CNA) for Transport Layer Security (TLS) and Cryptographic issues found in wolfSSL products."
- },
- {
- "contentnewsType": "paragraph",
- "content": "To date, 257 organizations from 35 countries have partnered with the CVE Program. CNAs are organizations from around the world that are authorized to assign CVE Identifiers (CVE IDs) to vulnerabilities affecting products within their distinct, agreed-upon scope, for inclusion in first-time public announcements of new vulnerabilities."
- },
- {
- "contentnewsType": "paragraph",
- "content": "wolfSSL’s Root is the CISA ICS Top-Level Root."
- }
- ]
- },
- {
- "id": 148,
- "newsType": "news",
- "title": "Grafana Labs Added as CVE Numbering Authority (CNA)",
- "date": "2022-11-22",
- "description": [
- {
- "contentnewsType": "paragraph",
- "content": "Grafana Labs is now a CVE Numbering Authority (CNA) for all Grafana Labs open source and commercial products."
- },
- {
- "contentnewsType": "paragraph",
- "content": "To date, 256 organizations from 35 countries have partnered with the CVE Program. CNAs are organizations from around the world that are authorized to assign CVE Identifiers (CVE IDs) to vulnerabilities affecting products within their distinct, agreed-upon scope, for inclusion in first-time public announcements of new vulnerabilities."
- },
- {
- "contentnewsType": "paragraph",
- "content": "Grafana Labs’ Root is the MITRE Top-Level Root."
- }
- ]
- },
- {
+ {
"id": 147,
"newsType": "news",
"title": "CVE JSON 5.0, CVE Services Clients & More Videos from the “CVE Services Workshop” Now Available",
@@ -8617,8 +9089,8 @@
},
{
"contentnewsType": "paragraph",
- "content": "The CVE Board is the organization responsible for the strategic direction, governance, operational structure, policies, and rules of the CVE Program. The Board includes members from numerous cybersecurity-related organizations including commercial security tool vendors, academia, research institutions, government departments and agencies, and other prominent security experts, as well as end-users of vulnerability information."
- }
+ "content": "The CVE Board is the organization responsible for the strategic direction, governance, operational structure, policies, and rules of the CVE Program. The Board includes members from numerous cybersecurity-related organizations including commercial security tool vendors, academia, research institutions, government departments and agencies, and other prominent security experts, as well as end-users of vulnerability information."
+ }
]
},
{
@@ -8783,7 +9255,7 @@
},
"title": "",
"bio": ""
- },
+ },
"description": [
{
"contentnewsType": "paragraph",
@@ -8806,7 +9278,7 @@
"content": "Our CVE Story: VulDB by Marc Ruef, founder of VulDB "
},
{
- "contentnewsType": "paragraph",
+ "contentnewsType": "paragraph",
"content": "Our CVE Story: CERT@VDE by Jochen Becker, Information Security Manager at CERT@VDE "
},
{
@@ -8869,13 +9341,13 @@
"contentnewsType": "paragraph",
"content": "CNAs join the program from a variety of business sectors; there are minimal requirements, and there is no monetary fee or contract to sign. To see the current list of CNAs, visit the List of Partners page. To see partner metrics, such as the numbers of organizations participating and countries represented, click here."
},
- {
- "contentnewsType": "paragraph",
- "content": "Learn how to become a CNA or contact one of the following to start the partnering process today:"
- },
- {
- "contentnewsType": "paragraph",
- "content": "
CISA Top-Level Root: Vulnerabilities that are (1) reported to or observed by CISA and (2) affect critical infrastructure, U.S. civilian government, industrial control systems, or medical devices, and (3) are not covered by another CNA’s scope
CISA ICS Root: Vulnerabilities that are (1) reported to or observed by CISA, (2) affect industrial control systems or medical devices, and (3) are not covered by another CNA’s scope
MITRE Top-Level Root: Vulnerabilities, and Open-Source software product vulnerabilities, not already covered by a CNA listed on this website
Red Hat Root: The entire open-source community. Any open-source organizations that prefers Red Hat as their Root; organizations are free to choose another Root if it suits them better
"
+ {
+ "contentnewsType": "paragraph",
+ "content": "Learn how to become a CNA or contact one of the following to start the partnering process today:"
+ },
+ {
+ "contentnewsType": "paragraph",
+ "content": "
CISA Top-Level Root: Vulnerabilities that are (1) reported to or observed by CISA and (2) affect critical infrastructure, U.S. civilian government, industrial control systems, or medical devices, and (3) are not covered by another CNA’s scope
CISA ICS Root: Vulnerabilities that are (1) reported to or observed by CISA, (2) affect industrial control systems or medical devices, and (3) are not covered by another CNA’s scope
MITRE Top-Level Root: Vulnerabilities, and Open-Source software product vulnerabilities, not already covered by a CNA listed on this website
Red Hat Root: The entire open-source community. Any open-source organizations that prefers Red Hat as their Root; organizations are free to choose another Root if it suits them better
"
},
{
"contentnewsType": "paragraph",
@@ -8945,7 +9417,7 @@
},
"title": "CNACWG Chair",
"bio": "Tod Beardsley, of Rapid7, is a CVE Board Member and Chair of the CNACWG"
- },
+ },
"description": [
{
"contentnewsType": "paragraph",
@@ -8966,7 +9438,7 @@
{
"contentnewsType": "paragraph",
"content": "Best of all, once you feel like you’ve handled enough CVEs that you’ve overcome your own imposter syndrome, you can turn around and become a mentor yourself! We’re signing up new CNAs all the time, so it’s likely that whatever strange twist you’ve run into, and handled, is about to happen to someone else. Plus, you might make a new friend who cares about vulnerability disclosure and the fiddly bits of bug documentation as much as you do."
- },
+ },
{
"contentnewsType": "paragraph",
"content": "CVE is almost entirely a volunteer organization, and always will be. As with any volunteering endeavor, building those personal connections with the people involved is a great way to help strengthen the community of CNAs, as well as make your own job as a CVE expert (newly minted or veteran pro) just a smidge easier."
@@ -9046,7 +9518,7 @@
},
"title": "",
"bio": ""
- },
+ },
"description": [
{
"contentnewsType": "paragraph",
@@ -9085,11 +9557,11 @@
"content": "Dual Vipers LLC is now a CVE Numbering Authority (CNA) for Dual Vipers projects and products (both open and closed source), as well as vulnerabilities in third-party software discovered by Dual Vipers that are not in another CNA’s scope."
},
{
- "contentnewsType": "paragraph",
+ "contentnewsType": "paragraph",
"content": "To date, 240 organizations from 35 countries have partnered with the CVE Program. CNAs are organizations from around the world that are authorized to assign CVE Identifiers (CVE IDs) to vulnerabilities affecting products within their distinct, agreed-upon scope, for inclusion in first-time public announcements of new vulnerabilities."
},
{
- "contentnewsType": "paragraph",
+ "contentnewsType": "paragraph",
"content": "Dual Vipers’ Root is the MITRE Top-Level Root."
}
]
@@ -9105,15 +9577,15 @@
"content": "CyberArk Labs is now a CVE Numbering Authority (CNA) for vulnerabilities discovered by CyberArk Labs that are not in another CNA’s scope."
},
{
- "contentnewsType": "paragraph",
+ "contentnewsType": "paragraph",
"content": "To date, 239 organizations from 35 countries have partnered with the CVE Program. CNAs are organizations from around the world that are authorized to assign CVE Identifiers (CVE IDs) to vulnerabilities affecting products within their distinct, agreed-upon scope, for inclusion in first-time public announcements of new vulnerabilities."
},
{
- "contentnewsType": "paragraph",
+ "contentnewsType": "paragraph",
"content": "CyberArk Labs’ Root is the MITRE Top-Level Root."
}
]
- },
+ },
{
"id": 122,
"newsType": "podcast",
@@ -9133,7 +9605,7 @@
"content": "Tod also writes about many of these topics in his article, An Inside Look at What Makes the CVE Program Tick, on SCMagazine."
},
{
- "contentnewsType": "paragraph",
+ "contentnewsType": "paragraph",
"content": "“We Speak CVE” is a free podcast about cybersecurity, vulnerability management, and the CVE Program. Listen on the CVE Program Channel on YouTube, on We Speak CVE page on Buzzsprout, and on major podcast directories such as Spotify, Stitcher, Google Podcasts, Apple Podcasts, iHeartRadio, Podcast Addict, Podchaser, Pocket Casts, Deezer, Listen Notes, Player FM, and Podcast Index, among others."
}
],
@@ -9152,9 +9624,9 @@
{
"contentnewsType": "paragraph",
"content": "As stated on the Security Nation webpage, in the episode “Chris Levendis of [the CVE Program] and Lisa Olson of Microsoft [discuss] assigning CVE IDs for vulnerabilities affecting cloud solutions. They recount their experiences working with the CVE board to establish guidelines for disclosing cloud vulnerabilities and talk through some of the challenges in understanding responsibility for mitigating and managing risks in the cloud.”"
- },
+ },
{
- "contentnewsType": "paragraph",
+ "contentnewsType": "paragraph",
"content": "Listen to the podcast on the Security Nation website."
}
]
@@ -9182,7 +9654,7 @@
"content": "The CVE Board held a teleconference meeting on September 14, 2022. Read the meeting minutes."
},
{
- "contentnewsType": "paragraph",
+ "contentnewsType": "paragraph",
"content": "The CVE Board is the organization responsible for the strategic direction, governance, operational structure, policies, and rules of the CVE Program. The Board includes members from numerous cybersecurity-related organizations including commercial security tool vendors, academia, research institutions, government departments and agencies, and other prominent security experts, as well as end-users of vulnerability information."
}
]
@@ -9201,7 +9673,7 @@
{
"contentnewsType": "paragraph",
"content": "Red Hat is now designated as a Root for any open-source organizations that choose Red Hat as their Root. However, organizations are free to choose another Root if it suits them better."
- },
+ },
{
"contentnewsType": "paragraph",
"content": "As a Root, Red Hat is responsible for ensuring the effective assignment of CVE IDs, implementing the CVE Program rules and guidelines, and managing the CVE Numbering Authorities (CNAs) under its care. It is also responsible for recruitment and onboarding of new CNAs and resolving disputes within its scope."
@@ -9238,7 +9710,7 @@
{
"contentnewsType": "paragraph",
"content": "INCIBE is now designated as a Root for Spain Organizations. As a Root for Spain Organizations, INCIBE is responsible for ensuring the effective assignment of CVE IDs, implementing the CVE Program rules and guidelines, and managing the CVE Numbering Authorities (CNAs) under its care. It is also responsible for recruitment and onboarding of new CNAs and resolving disputes within its scope."
- },
+ },
{
"contentnewsType": "paragraph",
"content": "INCIBE has also extended its CNA scope responsibilities to those CVE candidates reported to INCIBE by researchers that are not within the scope of another CNA."
@@ -9265,7 +9737,7 @@
}
]
},
- {
+ {
"id": 116,
"displayOnHomepageOrder": 0,
"newsType": "press-release",
@@ -9279,7 +9751,7 @@
{
"contentnewsType": "paragraph",
"content": "CISA is now designated a Top-Level Root (TL-Root) for industrial control systems (ICS) and medical device vendors participating as CVE Numbering Authorities (CNAs). CNAs are organizations authorized to assign CVE IDs for vulnerabilities affecting products within a distinct scope. A Top-Level Root, such as CISA, manages a group of CNAs within a given domain or community and may assign CVE IDs to vulnerabilities."
- },
+ },
{
"contentnewsType": "paragraph",
"content": "As the Top-Level Root for ICS and medical devices, CISA is responsible for ensuring the effective assignment of CVE IDs, implementing the CVE Program rules and guidelines, and managing the CNAs under its care. It is also responsible for recruitment and onboarding of new CNAs and resolving disputes within its scope."
@@ -9347,7 +9819,7 @@
]
},
{
- "id": 114,
+ "id": 114,
"newsType": "blog",
"title": "Dispelling the Myth: CVE ID Assignment and Record Publication for Vulnerabilities Affecting Cloud Services",
"date": "2022-09-13",
@@ -9359,7 +9831,7 @@
},
"title": "",
"bio": ""
- },
+ },
"description": [
{
"contentnewsType": "paragraph",
@@ -9408,7 +9880,7 @@
{
"contentnewsType": "paragraph",
"content": "In addition, a CVE ID assigned to a cloud service must be tagged as being assigned to an “exclusively-hosted-service” to help users easily recognize CVE IDs assigned to vulnerabilities affecting cloud services."
- },
+ },
{
"contentnewsType": "paragraph",
"content": "The CVE Board is continually evaluating how to best address the issue of vulnerabilities affecting cloud services. The current approach is imperfect. Creating many additional thousands of inactionable CVE Records is also imperfect. Stay tuned for additional blogs and potential rule changes related to cloud and other issues."
@@ -9436,7 +9908,7 @@
},
"title": "",
"bio": ""
- },
+ },
"description": [
{
"contentnewsType": "paragraph",
@@ -9445,7 +9917,7 @@
{
"contentnewsType": "paragraph",
"content": "Red Hat is now designated as a Root for any open-source organizations that choose Red Hat as their Root. However, organizations are free to choose another Root if it suits them better."
- },
+ },
{
"contentnewsType": "paragraph",
"content": "As a Root, Red Hat is responsible for ensuring the effective assignment of CVE IDs, implementing the CVE Program rules and guidelines, and managing the CVE Numbering Authorities (CNAs) under its care. It is also responsible for recruitment and onboarding of new CNAs and resolving disputes within its scope."
@@ -9484,283 +9956,295 @@
},
{
"contentnewsType": "paragraph",
- "content": "The CVE Board is the organization responsible for the strategic direction, governance, operational structure, policies, and rules of the CVE Program. The Board includes members from numerous cybersecurity-related organizations including commercial security tool vendors, academia, research institutions, government departments and agencies, and other prominent security experts, as well as end-users of vulnerability information."
- }
- ]
- },
- {
- "id": 111,
- "newsType": "news",
- "title": "“CVE Services Workshop” for CNAs to Be Held on November 2, 2022 (Updated)",
- "date": "2022-08-30",
- "description": [
+ "content": "The CVE Board is the organization responsible for the strategic direction, governance, operational structure, policies, and rules of the CVE Program. The Board includes members from numerous cybersecurity-related organizations including commercial security tool vendors, academia, research institutions, government departments and agencies, and other prominent security experts, as well as end-users of vulnerability information."
+ }
+ ]
+ },
+ {
+ "id": 111,
+ "newsType": "news",
+ "title": "“CVE Services Workshop” for CNAs to Be Held on November 2, 2022 (Updated)",
+ "date": "2022-08-30",
+ "description": [
+ {
+ "contentnewsType": "paragraph",
+ "content": "The CVE Program will host a virtual “CVE Services Workshop” for CVE Numbering Authorities (CNAs) on November 2, 2022, from 10:00 a.m. 2:00 p.m. ET."
+ },
+ {
+ "contentnewsType": "paragraph",
+ "content": "CNAs will learn:"
+ },
+ {
+ "contentnewsType": "paragraph",
+ "content": "
All about CVE JSON 5.0 the new and enhanced format for CVE Records
How to get a CVE Services account
How to leverage existing CVE Services clients to engage with the services
Where to find resources for creating your own CVE Services client
Our top CVE Services 2.1/CVE JSON 5.0 tips and tricks
Phase-out of CVE JSON 4.0 and how/when it will affect you
Other important CVE Services deployment details and dates for CNAs
"
+ },
+ {
+ "contentnewsType": "paragraph",
+ "content": "All CNAs should attend this workshop. An agenda and registration information were sent to all CNAs on October 5, 2022. There is no limit on the number of attendees that can participate from your organization."
+ },
+ {
+ "contentnewsType": "paragraph",
+ "content": "Questions? Please use the CVE Request Web Forms and select “Other” from the dropdown."
+ },
+ {
+ "contentnewsType": "paragraph",
+ "content": "Note: This article was modified on October 11, 2022, to update the beginning and end times of the workshop, as well as other event details."
+ }
+ ]
+ },
+ {
+ "id": 110,
+ "newsType": "news",
+ "title": "The OpenNMS Group Added as CVE Numbering Authority (CNA)",
+ "date": "2022-08-30",
+ "description": [
+ {
+ "contentnewsType": "paragraph",
+ "content": "The OpenNMS Group is now a CVE Numbering Authority (CNA) for OpenNMS issues only."
+ },
+ {
+ "contentnewsType": "paragraph",
+ "content": "To date, 237 organizations from 35 countries have partnered with the CVE Program. CNAs are organizations from around the world that are authorized to assign CVE Identifiers (CVE IDs) to vulnerabilities affecting products within their distinct, agreed-upon scope, for inclusion in first-time public announcements of new vulnerabilities."
+ },
+ {
+ "contentnewsType": "paragraph",
+ "content": "OpenNMS’ Root is the MITRE Top-Level Root."
+ }
+ ]
+ },
+ {
+ "id": 109,
+ "newsType": "news",
+ "title": "Minutes from CVE Board Teleconference Meeting on August 17 Now Available",
+ "date": "2022-08-30",
+ "description": [
+ {
+ "contentnewsType": "paragraph",
+ "content": "The CVE Board held a teleconference meeting on August 17, 2022. Read the meeting minutes."
+ },
+ {
+ "contentnewsType": "paragraph",
+ "content": "The CVE Board is the organization responsible for the strategic direction, governance, operational structure, policies, and rules of the CVE Program. The Board includes members from numerous cybersecurity-related organizations including commercial security tool vendors, academia, research institutions, government departments and agencies, and other prominent security experts, as well as end-users of vulnerability information."
+ }
+ ]
+ },
+ {
+ "id": 108,
+ "newsType": "news",
+ "title": "Rockwell Automation Added as CVE Numbering Authority (CNA)",
+ "date": "2022-08-23",
+ "description": [
+ {
+ "contentnewsType": "paragraph",
+ "content": "Rockwell Automation is now a CVE Numbering Authority (CNA) for all Rockwell Automation products."
+ },
+ {
+ "contentnewsType": "paragraph",
+ "content": "To date, 236 organizations from 35 countries have partnered with the CVE Program. CNAs are organizations from around the world that are authorized to assign CVE Identifiers (CVE IDs) to vulnerabilities affecting products within their distinct, agreed-upon scope, for inclusion in first-time public announcements of new vulnerabilities."
+ },
+ {
+ "contentnewsType": "paragraph",
+ "content": "Rockwell Automation’s Root is the CISA ICS Top-Level Root."
+ }
+ ]
+ },
+ {
+ "id": 107,
+ "newsType": "blog",
+ "title": "CVE Program Report for Quarter 2 Calendar Year (Q2 CY) 2022",
+ "date": "2022-08-16",
+ "author": {
+ "name": "CVE Program",
+ "organization": {
+ "name": "CVE Program",
+ "url": ""
+ },
+ "title": "",
+ "bio": ""
+ },
+ "description": [
+ {
+ "contentnewsType": "paragraph",
+ "content": "The CVE Program’s quarterly summary of program milestones and metrics for Q2 CY 2022."
+ },
+ {
+ "contentnewsType": "paragraph",
+ "content": "
Go Project for vulnerabilities in software published by the Go Project, including the Go standard library, Go toolchain, and the golang.org modules (USA)
CNA Community Conducts Pen Testing of CVE Services
"
+ },
+ {
+ "contentnewsType": "paragraph",
+ "content": "The CNA community, led by the CVE Automation Working Group (AWG), conducted a second round of penetration testing of the CVE Services from July 18-29, the purpose of which was to identify issues that must be addressed prior to CVE Services 2.1 and CVE JSON 5.0 deployment. The results of the second round are currently being reviewed and adjudicated by the AWG. The first round of penetration testing of CVE Services 2.1 was conducted in March. We thank all of the community members who participated in this valuable activity."
+ },
+ {
+ "contentnewsType": "paragraph",
+ "content": "
Community Updated About Methods for Submitting CVE Records after CVE Services 2.1 and CVE JSON 5.0 Deployment
"
+ },
+ {
+ "contentnewsType": "paragraph",
+ "content": "In May, the community was updated about the methods for reserving CVE IDs and submitting CVE Records that will be available once CVE Services 2.1/CVE JSON 5.0 are deployed. For non-CNAs, the existing method for requesting CVE IDs will not be affected. For CNAs, there will be five options available, two of which will be supported for a limited time to help CNAs with the transition. The two temporary optionsCNAs using the CVE Program Secretariat Web Forms and the CVE List GitHub Submission Pilotwill continue for 90 days after deployment and then be retired. The other three options using Vulnogram, adopting an available CVE Services Client, and CNAs developing and using their own CVE Services clientswill continue to be actively supported by the CVE Program moving forward. More details about each of these options are available here."
+ },
+ {
+ "contentnewsType": "paragraph",
+ "content": "
Value of Assigning CVE Records & Best Practices for Working with PSIRTs
"
+ },
+ {
+ "contentnewsType": "paragraph",
+ "content": "The “We Speak CVE” podcast series provides new and valuable information to the community about the CVE Program, vulnerability management, and cybersecurity. In June, “The Value of Assigning CVEs” episode educated the community about how and why CVEs are assigned, the value of CVEs in vulnerability management, responsible coordination of vulnerability disclosures, the importance of comprehensiveness in security advisories, and why there is no stigma in a CVE. In May, “Researchers and PSIRTs Working Well Together” provided insight into what security researchers should expect when reporting vulnerabilities to a Product Security Incident Response Team (PSIRT); how to best to collaborate with them; how to interpret responses from the PSIRT; how to get the best outcome when making a report; supported versus end-of-life (EOL) products; CNA scopes; timing of a patch versus the publication of a CVE Record; and more."
+ },
+ {
+ "contentnewsType": "paragraph",
+ "content": "
VulDB Explains Why It Partnered with the CVE Program
"
+ },
+ {
+ "contentnewsType": "paragraph",
+ "content": "In the “Our CVE Story” series on the CVE Blog, CNAs tell their CVE Program story from their own unique perspective. In May, “Our CVE Story: VulDB” was contributed by Marc Ruef, the founder of VulDB."
+ },
+ {
+ "contentnewsType": "paragraph",
+ "content": "
Q2 CY 2022 Metrics
"
+ },
+ {
+ "contentnewsType": "paragraph",
+ "content": "Metrics for Q2 CY 2022 Published CVE Records and Reserved CVE IDs are included below. Annual metrics are also included in the charts for year-to-year comparisons."
+ },
+ {
+ "contentnewsType": "paragraph",
+ "content": "Terminology
Published: When a CNA populates the data associated with a CVE ID as a CVE Record, the state of the CVE Record is Published. The associated data must contain an identification number (CVE ID), a prose description, and at least one public reference.
Reserved: The initial state for a CVE Record; when the associated CVE ID is Reserved by a CNA.
"
+ },
+ {
+ "contentnewsType": "paragraph",
+ "content": "As shown in the table below, CVE Program production was 6,365 CVE Records for CY Q2 2022. This is a 5% increase over the previous quarter of 6,015 records published in CY Q1 2022. This includes all CVE Records published by all CNAs and the two CNAs of Last Resort (CNA-LRs)."
+ },
{
- "contentnewsType": "paragraph",
- "content": "The CVE Program will host a virtual “CVE Services Workshop” for CVE Numbering Authorities (CNAs) on November 2, 2022, from 10:00 a.m. 2:00 p.m. ET."
+ "contentnewsType": "table",
+ "title": "",
+ "year": "2022",
+ "quarter": [
+ "Q1",
+ "Q2"
+ ],
+ "dataRowTitle": "CVE Records Published by All CNAs",
+ "dataRowCounts": [
+ "6,015",
+ "6,365"
+ ]
},
{
"contentnewsType": "paragraph",
- "content": "CNAs will learn:"
+ "content": "
All about CVE JSON 5.0 the new and enhanced format for CVE Records
How to get a CVE Services account
How to leverage existing CVE Services clients to engage with the services
Where to find resources for creating your own CVE Services client
Our top CVE Services 2.1/CVE JSON 5.0 tips and tricks
Phase-out of CVE JSON 4.0 and how/when it will affect you
Other important CVE Services deployment details and dates for CNAs
"
+ "content": "The CVE Program tracks reserved CVE IDs. As shown in the table below, 7,922 CVE IDs were in the “Reserved” state in Q2 CY 2022, a slight 1% decrease from the 8,030 IDs reserved in the previous quarter CY Q1 2022. This includes all CVE IDs reserved by all CNAs and the two CNA-LRs."
},
{
- "contentnewsType": "paragraph",
- "content": "All CNAs should attend this workshop. An agenda and registration information were sent to all CNAs on October 5, 2022. There is no limit on the number of attendees that can participate from your organization."
- },
+ "contentnewsType": "table",
+ "title": "",
+ "year": "2022",
+ "quarter": [
+ "Q1",
+ "Q2"
+ ],
+ "dataRowTitle": "CVE IDs Reserved by All CNAs",
+ "dataRowCounts": [
+ "8,030",
+ "7,922"
+ ]
+ },
{
"contentnewsType": "paragraph",
- "content": "Questions? Please use the CVE Request Web Forms and select “Other” from the dropdown."
+ "content": "
CVE IDs Reserved/CVE Records Published Quarterly Trend by CY
"
},
{
- "contentnewsType": "paragraph",
- "content": "Note: This article was modified on October 11, 2022, to update the beginning and end times of the workshop, as well as other event details."
- }
- ]
- },
- {
- "id": 110,
- "newsType": "news",
- "title": "The OpenNMS Group Added as CVE Numbering Authority (CNA)",
- "date": "2022-08-30",
- "description": [
+ "contentnewsType": "image",
+ "imageWidth": "",
+ "href": "/news/cveProgramReport/reservedCVEIDspublishedCVERecordsQuarterlyTrendQ2CY2022.png",
+ "altText": "Quarterly trend of reserved CVE IDs and published CVE Records for calendar years for 2020-2022 by all CNAs and CNA-LRs",
+ "captionText": "Quarterly trend of reserved CVE IDs and published CVE Records by all CNAs and CNA-LRs. View as tables on the Metrics page."
+ },
{
"contentnewsType": "paragraph",
- "content": "The OpenNMS Group is now a CVE Numbering Authority (CNA) for OpenNMS issues only."
+ "content": "
CNA Partners Grow the CVE List
"
},
{
- "contentnewsType": "paragraph",
- "content": "To date, 237 organizations from 35 countries have partnered with the CVE Program. CNAs are organizations from around the world that are authorized to assign CVE Identifiers (CVE IDs) to vulnerabilities affecting products within their distinct, agreed-upon scope, for inclusion in first-time public announcements of new vulnerabilities."
+ "contentnewsType": "paragraph",
+ "content": "All of the CVE IDs and CVE Records cited in the metrics above are assigned and published by CNAs and the two CNA-LRs, within their own specific scopes."
},
{
- "contentnewsType": "paragraph",
- "content": "OpenNMS’ Root is the MITRE Top-Level Root."
- }
- ]
- },
- {
- "id": 109,
- "newsType": "news",
- "title": "Minutes from CVE Board Teleconference Meeting on August 17 Now Available",
- "date": "2022-08-30",
- "description": [
+ "contentnewsType": "paragraph",
+ "content": "CNAs join the program from a variety of business sectors; there are minimal requirements, and there is no monetary fee or contract to sign. Currently, 235 organizations from 35 countries have partnered with the CVE Program."
+ },
{
"contentnewsType": "paragraph",
- "content": "The CVE Board held a teleconference meeting on August 17, 2022. Read the meeting minutes."
+ "content": "Learn how to become a CNA or contact one of the following to start the partnering process today:"
},
{
- "contentnewsType": "paragraph",
- "content": "The CVE Board is the organization responsible for the strategic direction, governance, operational structure, policies, and rules of the CVE Program. The Board includes members from numerous cybersecurity-related organizations including commercial security tool vendors, academia, research institutions, government departments and agencies, and other prominent security experts, as well as end-users of vulnerability information."
- }
- ]
- },
- {
- "id": 108,
- "newsType": "news",
- "title": "Rockwell Automation Added as CVE Numbering Authority (CNA)",
- "date": "2022-08-23",
- "description": [
+ "contentnewsType": "paragraph",
+ "content": "
CISA ICS for Industrial control systems and medical devices (Top-Level Root)
MITRE for all vulnerabilities, and Open-Source software product vulnerabilities, not already covered by a CNA listed on this website (Top-Level Root)
"
},
{
"contentnewsType": "paragraph",
- "content": "To date, 236 organizations from 35 countries have partnered with the CVE Program. CNAs are organizations from around the world that are authorized to assign CVE Identifiers (CVE IDs) to vulnerabilities affecting products within their distinct, agreed-upon scope, for inclusion in first-time public announcements of new vulnerabilities."
+ "content": "If you have any questions about this article, please comment on the CVE Blog on Medium or use the CVE Request Web Form and select “Other” from the dropdown menu."
},
{
"contentnewsType": "paragraph",
- "content": "Rockwell Automation’s Root is the CISA ICS Top-Level Root."
+ "content": "We look forward to hearing from you, but more importantly, we look forward to your participation in the CVE Program!"
}
]
},
{
- "id": 107,
- "newsType": "blog",
- "title": "CVE Program Report for Quarter 2 Calendar Year (Q2 CY) 2022",
- "date": "2022-08-16",
- "author": {
- "name": "CVE Program",
- "organization": {
- "name": "CVE Program",
- "url": ""
- },
- "title": "",
- "bio": ""
- },
- "description": [
- {
- "contentnewsType": "paragraph",
- "content": "The CVE Program’s quarterly summary of program milestones and metrics for Q2 CY 2022."
- },
- {
- "contentnewsType": "paragraph",
- "content": "
Go Project for vulnerabilities in software published by the Go Project, including the Go standard library, Go toolchain, and the golang.org modules (USA)
CNA Community Conducts Pen Testing of CVE Services
"
- },
- {
- "contentnewsType": "paragraph",
- "content": "The CNA community, led by the CVE Automation Working Group (AWG), conducted a second round of penetration testing of the CVE Services from July 18-29, the purpose of which was to identify issues that must be addressed prior to CVE Services 2.1 and CVE JSON 5.0 deployment. The results of the second round are currently being reviewed and adjudicated by the AWG. The first round of penetration testing of CVE Services 2.1 was conducted in March. We thank all of the community members who participated in this valuable activity."
- },
- {
- "contentnewsType": "paragraph",
- "content": "
Community Updated About Methods for Submitting CVE Records after CVE Services 2.1 and CVE JSON 5.0 Deployment
"
- },
- {
- "contentnewsType": "paragraph",
- "content": "In May, the community was updated about the methods for reserving CVE IDs and submitting CVE Records that will be available once CVE Services 2.1/CVE JSON 5.0 are deployed. For non-CNAs, the existing method for requesting CVE IDs will not be affected. For CNAs, there will be five options available, two of which will be supported for a limited time to help CNAs with the transition. The two temporary optionsCNAs using the CVE Program Secretariat Web Forms and the CVE List GitHub Submission Pilotwill continue for 90 days after deployment and then be retired. The other three options using Vulnogram, adopting an available CVE Services Client, and CNAs developing and using their own CVE Services clientswill continue to be actively supported by the CVE Program moving forward. More details about each of these options are available here."
- },
- {
- "contentnewsType": "paragraph",
- "content": "
Value of Assigning CVE Records & Best Practices for Working with PSIRTs
"
- },
- {
- "contentnewsType": "paragraph",
- "content": "The “We Speak CVE” podcast series provides new and valuable information to the community about the CVE Program, vulnerability management, and cybersecurity. In June, “The Value of Assigning CVEs” episode educated the community about how and why CVEs are assigned, the value of CVEs in vulnerability management, responsible coordination of vulnerability disclosures, the importance of comprehensiveness in security advisories, and why there is no stigma in a CVE. In May, “Researchers and PSIRTs Working Well Together” provided insight into what security researchers should expect when reporting vulnerabilities to a Product Security Incident Response Team (PSIRT); how to best to collaborate with them; how to interpret responses from the PSIRT; how to get the best outcome when making a report; supported versus end-of-life (EOL) products; CNA scopes; timing of a patch versus the publication of a CVE Record; and more."
- },
- {
- "contentnewsType": "paragraph",
- "content": "
VulDB Explains Why It Partnered with the CVE Program
"
- },
- {
- "contentnewsType": "paragraph",
- "content": "In the “Our CVE Story” series on the CVE Blog, CNAs tell their CVE Program story from their own unique perspective. In May, “Our CVE Story: VulDB” was contributed by Marc Ruef, the founder of VulDB."
- },
- {
- "contentnewsType": "paragraph",
- "content": "
Q2 CY 2022 Metrics
"
- },
- {
- "contentnewsType": "paragraph",
- "content": "Metrics for Q2 CY 2022 Published CVE Records and Reserved CVE IDs are included below. Annual metrics are also included in the charts for year-to-year comparisons."
- },
- {
- "contentnewsType": "paragraph",
- "content": "Terminology
Published: When a CNA populates the data associated with a CVE ID as a CVE Record, the state of the CVE Record is Published. The associated data must contain an identification number (CVE ID), a prose description, and at least one public reference.
Reserved: The initial state for a CVE Record; when the associated CVE ID is Reserved by a CNA.
"
- },
- {
- "contentnewsType": "paragraph",
- "content": "As shown in the table below, CVE Program production was 6,365 CVE Records for CY Q2 2022. This is a 5% increase over the previous quarter of 6,015 records published in CY Q1 2022. This includes all CVE Records published by all CNAs and the two CNAs of Last Resort (CNA-LRs)."
- },
- {
- "contentnewsType": "table",
- "title": "",
- "year": "2022",
- "quarter": ["Q1", "Q2"],
- "dataRowTitle": "CVE Records Published by All CNAs",
- "dataRowCounts": ["6,015", "6,365"]
- },
- {
- "contentnewsType": "paragraph",
- "content": "
Reserved CVE IDs
"
- },
- {
- "contentnewsType": "paragraph",
- "content": "The CVE Program tracks reserved CVE IDs. As shown in the table below, 7,922 CVE IDs were in the “Reserved” state in Q2 CY 2022, a slight 1% decrease from the 8,030 IDs reserved in the previous quarter CY Q1 2022. This includes all CVE IDs reserved by all CNAs and the two CNA-LRs."
- },
- {
- "contentnewsType": "table",
- "title": "",
- "year": "2022",
- "quarter": [ "Q1", "Q2"],
- "dataRowTitle": "CVE IDs Reserved by All CNAs",
- "dataRowCounts": ["8,030", "7,922"]
- },
- {
- "contentnewsType": "paragraph",
- "content": "
CVE IDs Reserved/CVE Records Published Quarterly Trend by CY
"
- },
- {
- "contentnewsType": "image",
- "imageWidth": "",
- "href": "/news/cveProgramReport/reservedCVEIDspublishedCVERecordsQuarterlyTrendQ2CY2022.png",
- "altText": "Quarterly trend of reserved CVE IDs and published CVE Records for calendar years for 2020-2022 by all CNAs and CNA-LRs",
- "captionText": "Quarterly trend of reserved CVE IDs and published CVE Records by all CNAs and CNA-LRs. View as tables on the Metrics page."
- },
- {
- "contentnewsType": "paragraph",
- "content": "
CNA Partners Grow the CVE List
"
- },
- {
- "contentnewsType": "paragraph",
- "content": "All of the CVE IDs and CVE Records cited in the metrics above are assigned and published by CNAs and the two CNA-LRs, within their own specific scopes."
- },
- {
- "contentnewsType": "paragraph",
- "content": "CNAs join the program from a variety of business sectors; there are minimal requirements, and there is no monetary fee or contract to sign. Currently, 235 organizations from 35 countries have partnered with the CVE Program."
- },
- {
- "contentnewsType": "paragraph",
- "content": "Learn how to become a CNA or contact one of the following to start the partnering process today:"
- },
- {
- "contentnewsType": "paragraph",
- "content": "
CISA ICS for Industrial control systems and medical devices (Top-Level Root)
MITRE for all vulnerabilities, and Open-Source software product vulnerabilities, not already covered by a CNA listed on this website (Top-Level Root)
"
- },
- {
- "contentnewsType": "paragraph",
- "content": "If you have any questions about this article, please comment on the CVE Blog on Medium or use the CVE Request Web Form and select “Other” from the dropdown menu."
- },
- {
- "contentnewsType": "paragraph",
- "content": "We look forward to hearing from you, but more importantly, we look forward to your participation in the CVE Program!"
- }
- ]
- },
- {
"id": 106,
"newsType": "news",
"title": "Minutes from CVE Board Teleconference Meeting on August 3 Now Available",
@@ -9883,7 +10367,7 @@
"content": "FULL INTERNET is now a CVE Numbering Authority (CNA) for all FULL products, as well as vulnerabilities in third-party software discovered by FULL that are not in another CNA’s scope."
},
{
- "contentnewsType": "paragraph",
+ "contentnewsType": "paragraph",
"content": "To date, 231 organizations from 35 countries have partnered with the CVE Program. CNAs are organizations from around the world that are authorized to assign CVE Identifiers (CVE IDs) to vulnerabilities affecting products within their distinct, agreed-upon scope, for inclusion in first-time public announcements of new vulnerabilities."
},
{
@@ -9979,11 +10463,11 @@
"content": "GE Healthcare is now a CVE Numbering Authority (CNA) for GE Healthcare products."
},
{
- "contentnewsType": "paragraph",
+ "contentnewsType": "paragraph",
"content": "To date, 226 organizations from 34 countries have partnered with the CVE Program. CNAs are organizations from around the world that are authorized to assign CVE Identifiers (CVE IDs) to vulnerabilities affecting products within their distinct, agreed-upon scope, for inclusion in first-time public announcements of new vulnerabilities."
},
{
- "contentnewsType": "paragraph",
+ "contentnewsType": "paragraph",
"content": "GE Healthcare’s Root is the CISA ICS Top-Level Root."
}
]
@@ -10100,7 +10584,7 @@
"date": "2022-06-02",
"description": [
{
- "contentnewsType": "paragraph",
+ "contentnewsType": "paragraph",
"content": "The CVE Board held a teleconference meeting on May 25, 2022. Read the meeting minutes."
},
{
@@ -10122,162 +10606,170 @@
},
"title": "",
"bio": ""
- },
- "description": [
- {
- "contentnewsType": "paragraph",
- "content": "The CVE Program’s quarterly summary of program milestones and metrics for Q1 CY 2022."
- },
- {
- "contentnewsType": "paragraph",
- "content": "
Baxter Healthcare for Baxter’s commercially available products only (USA)
Medtronic for all products of Medtronic or a Medtronic company including supported products and end-of-life/end-of-service products, as well as vulnerabilities in third-party software discovered in Medtronic products that are not in another CNA’s scope (USA)
Dutch Institute for Vulnerability Disclosure (DIVD) for vulnerabilities in software discovered by DIVD, and vulnerabilities reported to DIVD for coordinated disclosure, which are not in another CNA’s scope (Netherlands)
JetBrains for JetBrains products only (Czech Republic)
The OpenBMC Project for vulnerabilities related to the repositories maintained by the OpenBMC project (USA)
"
- },
- {
- "contentnewsType": "paragraph",
- "content": "The CVE Program announced on January 25 that it was expanding its partnership with Google for managing the assignment of CVE IDs for the CVE Program. Google is now designated as a Root for all of the Alphabet organizations that have already partnered with the CVE Program Android, Chrome, and Google LLCas well as any future Alphabet organizations. As a Root for Alphabet’s organizations, Google is responsible for ensuring the effective assignment of CVE IDs, implementing the CVE Program rules and guidelines, and managing the CNAs under its care. It is also responsible for recruitment and onboarding of new CNAs and resolving disputes within its scope. Go Project was added as CNA under the Google Root on April 26."
- },
- {
- "contentnewsType": "paragraph",
- "content": "
Community Updated About Upcoming Changes to CVE Record Format JSON and CVE List Content Downloads
"
- },
- {
- "contentnewsType": "paragraph",
- "content": "In early January, the CVE Program announced two major changes that will take place in 2022: The main format for submission and publishing of CVE Records, CVE JSON 4.0, is being upgraded to a new, richer format: JSON 5.0. Legacy CVE List download file options are being replaced with a single supported download format: JSON. The changes were announced early to ensure CNAs, CVE consumers such as tool vendors, and other stakeholders, could begin preparing for this important transition. Updates and follow-on announcements are available here."
- },
- {
- "contentnewsType": "paragraph",
- "content": "
The Latest on Transitioning to CVE Services 2.1 and CVE JSON 5.0
"
- },
- {
- "contentnewsType": "paragraph",
- "content": "A new “We Speak CVE” podcast episode was released in March to update CNAs and the community about the transition that is currently underway for CNAs to CVE Services 2.1 and CVE JSON 5.0. The discussion included how the new services and data format will enable effective and secure automation, improve workflows, and reduce the transaction costs of program participation for CNAs, as well as provide enhanced information in CVE Records for use by downstream consumers."
- },
- {
- "contentnewsType": "paragraph",
- "content": "
New CVE Program Automation Resource now Available for CNAs
"
- },
- {
- "contentnewsType": "paragraph",
- "content": "A new CVE Program Automation Website was launched on March 22 to provide CNAs with a one-stop resource to stay informed about CVE Program automation efforts, especially the upcoming transition to CVE Services 2.1 and CVE JSON 5.0. The initial launch version of the website includes a CVE Services Overview, JSON 5.0 Overview, and links to resources for both efforts. Also included are a Latest Announcements page and a CVE Automation Transition Details page for CNAs that includes transition details and deployment timelines, both of which will be regularly updated."
- },
- {
- "contentnewsType": "paragraph",
- "content": "
Q1 CY 2022 Metrics
"
- },
- {
- "contentnewsType": "paragraph",
- "content": "Metrics for Q1 CY 2022 Published CVE Records and Reserved CVE IDs are included below. Annual metrics are also included in the charts for year-to-year comparisons."
- },
- {
- "contentnewsType": "paragraph",
- "content": "Terminology
Published: When a CNA populates the data associated with a CVE ID as a CVE Record, the state of the CVE Record is Published. The associated data must contain an identification number (CVE ID), a prose description, and at least one public reference.
Reserved: The initial state for a CVE Record; when the associated CVE ID is Reserved by a CNA.
"
- },
- {
- "contentnewsType": "paragraph",
- "content": "As shown in the table below, CVE Program production was 6,015 CVE Records for CY Q1 2022. This is a 14% increase over the previous quarter of 5,200 records published in CY Q4 2021. This includes all CVE Records published by all CNAs and the two CNAs of Last Resort (CNA-LRs)."
- },
- {
- "contentnewsType": "table",
- "title": "",
- "year": "2022",
- "quarter": [ "Q1"],
- "dataRowTitle": "CVE Records Published by All CNAs",
- "dataRowCounts": ["6,015"]
- },
- {
- "contentnewsType": "paragraph",
- "content": "
Reserved CVE IDs
"
- },
- {
- "contentnewsType": "paragraph",
- "content": "The CVE Program tracks reserved CVE IDs. As shown in the table below, 8,030 CVE IDs were in the “Reserved” state in Q1 CY 2022, a 15% increase over the previous quarter of 6,802 IDs reserved in CY Q4 2021. This includes all CVE IDs reserved by all CNAs and the two CNA-LRs."
- },
- {
- "contentnewsType": "table",
- "title": "",
- "year": "2022",
- "quarter": [ "Q1"],
- "dataRowTitle": "CVE IDs Reserved by All CNAs",
- "dataRowCounts": ["8,030"]
- },
- {
- "contentnewsType": "paragraph",
- "content": "
CVE IDs Reserved/CVE Records Published Quarterly Trend by CY
"
- },
- {
- "contentnewsType": "image",
- "imageWidth": "",
- "href": "/news/cveProgramReport/reservedCVEIDspublishedCVERecordsQuarterlyTrend.png",
- "altText": "Quarterly trend of reserved CVE IDs and published CVE Records for calendar years for 2020-2022 by all CNAs and CNA-LRs",
- "captionText": "Quarterly trend of reserved CVE IDs and published CVE Records by all CNAs and CNA-LRs. View as tables on the Metrics page."
- },
- {
- "contentnewsType": "paragraph",
- "content": "
CNA Partners Grow the CVE List
"
- },
- {
- "contentnewsType": "paragraph",
- "content": "All of the CVE IDs and CVE Records cited in the metrics above are assigned and published by CNAs and the two CNA-LRs, within their own specific scopes."
- },
- {
- "contentnewsType": "paragraph",
- "content": "CNAs join the program from a variety of business sectors; there are minimal requirements, and there is no monetary fee or contract to sign. Currently, 221 organizations from 34 countries have partnered with the CVE Program."
- },
- {
- "contentnewsType": "paragraph",
- "content": "Learn how to become a CNA or contact one of the following to start the partnering process today:"
- },
- {
- "contentnewsType": "paragraph",
- "content": "
CISA ICS for Industrial control systems and medical devices (Top-Level Root)
MITRE for all vulnerabilities, and Open-Source software product vulnerabilities, not already covered by a CNA listed on this website (Top-Level Root)
"
- },
- {
- "contentnewsType": "paragraph",
- "content": "If you have any questions about this article, please comment on the CVE Blog on Medium or use the CVE Request Web Form and select “Other” from the dropdown menu."
- },
- {
- "contentnewsType": "paragraph",
- "content": "We look forward to hearing from you, but more importantly, we look forward to your participation in the CVE Program!"
- }
- ]
- },
- {
+ "description": [
+ {
+ "contentnewsType": "paragraph",
+ "content": "The CVE Program’s quarterly summary of program milestones and metrics for Q1 CY 2022."
+ },
+ {
+ "contentnewsType": "paragraph",
+ "content": "
Baxter Healthcare for Baxter’s commercially available products only (USA)
Medtronic for all products of Medtronic or a Medtronic company including supported products and end-of-life/end-of-service products, as well as vulnerabilities in third-party software discovered in Medtronic products that are not in another CNA’s scope (USA)
Dutch Institute for Vulnerability Disclosure (DIVD) for vulnerabilities in software discovered by DIVD, and vulnerabilities reported to DIVD for coordinated disclosure, which are not in another CNA’s scope (Netherlands)
JetBrains for JetBrains products only (Czech Republic)
The OpenBMC Project for vulnerabilities related to the repositories maintained by the OpenBMC project (USA)
"
+ },
+ {
+ "contentnewsType": "paragraph",
+ "content": "The CVE Program announced on January 25 that it was expanding its partnership with Google for managing the assignment of CVE IDs for the CVE Program. Google is now designated as a Root for all of the Alphabet organizations that have already partnered with the CVE Program Android, Chrome, and Google LLCas well as any future Alphabet organizations. As a Root for Alphabet’s organizations, Google is responsible for ensuring the effective assignment of CVE IDs, implementing the CVE Program rules and guidelines, and managing the CNAs under its care. It is also responsible for recruitment and onboarding of new CNAs and resolving disputes within its scope. Go Project was added as CNA under the Google Root on April 26."
+ },
+ {
+ "contentnewsType": "paragraph",
+ "content": "
Community Updated About Upcoming Changes to CVE Record Format JSON and CVE List Content Downloads
"
+ },
+ {
+ "contentnewsType": "paragraph",
+ "content": "In early January, the CVE Program announced two major changes that will take place in 2022: The main format for submission and publishing of CVE Records, CVE JSON 4.0, is being upgraded to a new, richer format: JSON 5.0. Legacy CVE List download file options are being replaced with a single supported download format: JSON. The changes were announced early to ensure CNAs, CVE consumers such as tool vendors, and other stakeholders, could begin preparing for this important transition. Updates and follow-on announcements are available here."
+ },
+ {
+ "contentnewsType": "paragraph",
+ "content": "
The Latest on Transitioning to CVE Services 2.1 and CVE JSON 5.0
"
+ },
+ {
+ "contentnewsType": "paragraph",
+ "content": "A new “We Speak CVE” podcast episode was released in March to update CNAs and the community about the transition that is currently underway for CNAs to CVE Services 2.1 and CVE JSON 5.0. The discussion included how the new services and data format will enable effective and secure automation, improve workflows, and reduce the transaction costs of program participation for CNAs, as well as provide enhanced information in CVE Records for use by downstream consumers."
+ },
+ {
+ "contentnewsType": "paragraph",
+ "content": "
New CVE Program Automation Resource now Available for CNAs
"
+ },
+ {
+ "contentnewsType": "paragraph",
+ "content": "A new CVE Program Automation Website was launched on March 22 to provide CNAs with a one-stop resource to stay informed about CVE Program automation efforts, especially the upcoming transition to CVE Services 2.1 and CVE JSON 5.0. The initial launch version of the website includes a CVE Services Overview, JSON 5.0 Overview, and links to resources for both efforts. Also included are a Latest Announcements page and a CVE Automation Transition Details page for CNAs that includes transition details and deployment timelines, both of which will be regularly updated."
+ },
+ {
+ "contentnewsType": "paragraph",
+ "content": "
Q1 CY 2022 Metrics
"
+ },
+ {
+ "contentnewsType": "paragraph",
+ "content": "Metrics for Q1 CY 2022 Published CVE Records and Reserved CVE IDs are included below. Annual metrics are also included in the charts for year-to-year comparisons."
+ },
+ {
+ "contentnewsType": "paragraph",
+ "content": "Terminology
Published: When a CNA populates the data associated with a CVE ID as a CVE Record, the state of the CVE Record is Published. The associated data must contain an identification number (CVE ID), a prose description, and at least one public reference.
Reserved: The initial state for a CVE Record; when the associated CVE ID is Reserved by a CNA.
"
+ },
+ {
+ "contentnewsType": "paragraph",
+ "content": "As shown in the table below, CVE Program production was 6,015 CVE Records for CY Q1 2022. This is a 14% increase over the previous quarter of 5,200 records published in CY Q4 2021. This includes all CVE Records published by all CNAs and the two CNAs of Last Resort (CNA-LRs)."
+ },
+ {
+ "contentnewsType": "table",
+ "title": "",
+ "year": "2022",
+ "quarter": [
+ "Q1"
+ ],
+ "dataRowTitle": "CVE Records Published by All CNAs",
+ "dataRowCounts": [
+ "6,015"
+ ]
+ },
+ {
+ "contentnewsType": "paragraph",
+ "content": "
Reserved CVE IDs
"
+ },
+ {
+ "contentnewsType": "paragraph",
+ "content": "The CVE Program tracks reserved CVE IDs. As shown in the table below, 8,030 CVE IDs were in the “Reserved” state in Q1 CY 2022, a 15% increase over the previous quarter of 6,802 IDs reserved in CY Q4 2021. This includes all CVE IDs reserved by all CNAs and the two CNA-LRs."
+ },
+ {
+ "contentnewsType": "table",
+ "title": "",
+ "year": "2022",
+ "quarter": [
+ "Q1"
+ ],
+ "dataRowTitle": "CVE IDs Reserved by All CNAs",
+ "dataRowCounts": [
+ "8,030"
+ ]
+ },
+ {
+ "contentnewsType": "paragraph",
+ "content": "
CVE IDs Reserved/CVE Records Published Quarterly Trend by CY
"
+ },
+ {
+ "contentnewsType": "image",
+ "imageWidth": "",
+ "href": "/news/cveProgramReport/reservedCVEIDspublishedCVERecordsQuarterlyTrend.png",
+ "altText": "Quarterly trend of reserved CVE IDs and published CVE Records for calendar years for 2020-2022 by all CNAs and CNA-LRs",
+ "captionText": "Quarterly trend of reserved CVE IDs and published CVE Records by all CNAs and CNA-LRs. View as tables on the Metrics page."
+ },
+ {
+ "contentnewsType": "paragraph",
+ "content": "
CNA Partners Grow the CVE List
"
+ },
+ {
+ "contentnewsType": "paragraph",
+ "content": "All of the CVE IDs and CVE Records cited in the metrics above are assigned and published by CNAs and the two CNA-LRs, within their own specific scopes."
+ },
+ {
+ "contentnewsType": "paragraph",
+ "content": "CNAs join the program from a variety of business sectors; there are minimal requirements, and there is no monetary fee or contract to sign. Currently, 221 organizations from 34 countries have partnered with the CVE Program."
+ },
+ {
+ "contentnewsType": "paragraph",
+ "content": "Learn how to become a CNA or contact one of the following to start the partnering process today:"
+ },
+ {
+ "contentnewsType": "paragraph",
+ "content": "
CISA ICS for Industrial control systems and medical devices (Top-Level Root)
MITRE for all vulnerabilities, and Open-Source software product vulnerabilities, not already covered by a CNA listed on this website (Top-Level Root)
"
+ },
+ {
+ "contentnewsType": "paragraph",
+ "content": "If you have any questions about this article, please comment on the CVE Blog on Medium or use the CVE Request Web Form and select “Other” from the dropdown menu."
+ },
+ {
+ "contentnewsType": "paragraph",
+ "content": "We look forward to hearing from you, but more importantly, we look forward to your participation in the CVE Program!"
+ }
+ ]
+ },
+ {
"id": 87,
"newsType": "news",
"title": "Minutes from CVE Board Teleconference Meeting on May 11 Now Available",
@@ -10317,80 +10809,80 @@
"content": "Our story as a CNA is a bit different than others. But let us start at the true beginning: VulDB launched in 1997. It was a different time back then. When people were talking about vulnerabilities or exploits, they were talking about products: “Did you hear about the new wu-ftpd exploit?” Identifying issues was somehow easier because there were not that many of them, especially not the ones that really drew interest by attackers. If there was potential confusion, people were referring to version numbers of affected products or mentioned technical details such as vulnerable files or exploited functions."
},
{
- "contentnewsType": "paragraph",
- "content": "When CVE was introduced in 1999, I was personally very skeptical. It sounded like a good idea, but I was doubtful that the program would be able to reach the level of technical flexibility and professionalism that would be required to add a sustainable benefit to the industry. I must admit, I was wrong to a large degree."
+ "contentnewsType": "paragraph",
+ "content": "When CVE was introduced in 1999, I was personally very skeptical. It sounded like a good idea, but I was doubtful that the program would be able to reach the level of technical flexibility and professionalism that would be required to add a sustainable benefit to the industry. I must admit, I was wrong to a large degree."
+ },
+ {
+ "contentnewsType": "paragraph",
+ "content": "
"
+ "contentnewsType": "paragraph",
+ "content": "Over the years, CVE made a lot of things easier for us. We are a vulnerability database with a scope that is different than vendor CNAs or vulnerability catalogs covering specific product types. We add everything that can be exploited in software or hardware. We are very close to hosting 200,000 entries in our database."
},
{
- "contentnewsType": "paragraph",
- "content": "Over the years, CVE made a lot of things easier for us. We are a vulnerability database with a scope that is different than vendor CNAs or vulnerability catalogs covering specific product types. We add everything that can be exploited in software or hardware. We are very close to hosting 200,000 entries in our database."
+ "contentnewsType": "paragraph",
+ "content": "Even though we share a very similar philosophy to the CVE Program, our approach slightly differs. For example, we also accept submissions for vulnerabilities in malware. That is because we think that on top of the malicious code, additional attack surfaces are introduced, which increases the risk and people should know about this. You would be surprised how much malware comes with buffer overflows, directory traversal possibilities, and permission issues."
},
{
- "contentnewsType": "paragraph",
- "content": "Even though we share a very similar philosophy to the CVE Program, our approach slightly differs. For example, we also accept submissions for vulnerabilities in malware. That is because we think that on top of the malicious code, additional attack surfaces are introduced, which increases the risk and people should know about this. You would be surprised how much malware comes with buffer overflows, directory traversal possibilities, and permission issues."
+ "contentnewsType": "paragraph",
+ "content": "
"
+ "contentnewsType": "paragraph",
+ "content": "Due to our extended coverage, our main challenge is handling and preventing duplicates. We are very proud to have had just a handful of such duplicates in the last 25 years. In these rare cases, we use merge and forward capabilities to redirect users to the right entries. All edits are documented in a commit history, rendering changes very transparent."
},
{
- "contentnewsType": "paragraph",
- "content": "Due to our extended coverage, our main challenge is handling and preventing duplicates. We are very proud to have had just a handful of such duplicates in the last 25 years. In these rare cases, we use merge and forward capabilities to redirect users to the right entries. All edits are documented in a commit history, rendering changes very transparent."
+ "contentnewsType": "paragraph",
+ "content": "Dealing with potential duplicates requires a lot of effort to verify, synchronize, and align vulnerability details. Our data team monitors thousands of sources 24/7. As soon as a new vulnerability disclosure is suspected, it is analyzed for eligibility."
},
{
- "contentnewsType": "paragraph",
- "content": "Dealing with potential duplicates requires a lot of effort to verify, synchronize, and align vulnerability details. Our data team monitors thousands of sources 24/7. As soon as a new vulnerability disclosure is suspected, it is analyzed for eligibility."
+ "contentnewsType": "paragraph",
+ "content": "At the beginning, CVE used the now obsolete CAN tag (“candidate”) to deal with new entries. We do not use such a tagging, but we do add a confidence level to every commit to help users put data into quality context. Duplicate detection became harder, again, because there are a lot of new vulnerabilities published nowadays (approximately 76 per day in 2022, compared to 40 in 2016) and many more communication channels available. In earlier days, reading mailing lists and collecting vendor advisories was enough. Today, monitoring code repositories, social media, and darknet marketplaces are even more important, especially if you want to cover zero-day vulnerabilities."
},
{
- "contentnewsType": "paragraph",
- "content": "At the beginning, CVE used the now obsolete CAN tag (“candidate”) to deal with new entries. We do not use such a tagging, but we do add a confidence level to every commit to help users put data into quality context. Duplicate detection became harder, again, because there are a lot of new vulnerabilities published nowadays (approximately 76 per day in 2022, compared to 40 in 2016) and many more communication channels available. In earlier days, reading mailing lists and collecting vendor advisories was enough. Today, monitoring code repositories, social media, and darknet marketplaces are even more important, especially if you want to cover zero-day vulnerabilities."
+ "contentnewsType": "paragraph",
+ "content": "
"
+ "contentnewsType": "paragraph",
+ "content": "For many years, colleagues and customers were approaching us and asked why we are not supporting the CVE Program or even becoming a CNA ourselves. We are working with CVE data daily and are aware of the importance of the program for the cybersecurity industry, as well as the demanding requirements that come with such importance."
},
{
- "contentnewsType": "paragraph",
- "content": "For many years, colleagues and customers were approaching us and asked why we are not supporting the CVE Program or even becoming a CNA ourselves. We are working with CVE data daily and are aware of the importance of the program for the cybersecurity industry, as well as the demanding requirements that come with such importance."
+ "contentnewsType": "paragraph",
+ "content": "In 2021, we decided to contact the CVE Program to discuss possibilities of a collaboration. It was very important for us to remain independent while also being a CNA. As defined in the CNA Rules, every CNA requires a specific scope. For VulDB to become a CNA, our scope needed to be broader than the CNA Rules currently defines. We discussed this issue with the CVE Program and were able to agree upon a product-independent scope. Primarily, we will assign CVEs for products not covered by other CNAs, but we are also allowed to negotiate vulnerability processing with other CNAs. Security researchers appreciate this possibility.*"
},
{
- "contentnewsType": "paragraph",
- "content": "In 2021, we decided to contact the CVE Program to discuss possibilities of a collaboration. It was very important for us to remain independent while also being a CNA. As defined in the CNA Rules, every CNA requires a specific scope. For VulDB to become a CNA, our scope needed to be broader than the CNA Rules currently defines. We discussed this issue with the CVE Program and were able to agree upon a product-independent scope. Primarily, we will assign CVEs for products not covered by other CNAs, but we are also allowed to negotiate vulnerability processing with other CNAs. Security researchers appreciate this possibility.*"
+ "contentnewsType": "paragraph",
+ "content": "
"
+ "contentnewsType": "paragraph",
+ "content": "CNA Rule 7.2, “How Many Vulnerabilities?”, defines a clear requirement for splitting and merging entries. Our own philosophy differs slightly. Not much, but enough to add another level of complexity for our data team. If there is one CVE, we might have to split it into multiple entries in VulDB or there are several CVEs available for a single entry."
},
{
- "contentnewsType": "paragraph",
- "content": "CNA Rule 7.2, “How Many Vulnerabilities?”, defines a clear requirement for splitting and merging entries. Our own philosophy differs slightly. Not much, but enough to add another level of complexity for our data team. If there is one CVE, we might have to split it into multiple entries in VulDB or there are several CVEs available for a single entry."
+ "contentnewsType": "paragraph",
+ "content": "Occasionally, customers want to understand the reason why we split or merge entries. We enjoy these exchanges of the philosophical nature of vulnerabilities. There is a lot of room for ideas that can enrich and improve our industry. Some examples are product assignments, version handling, risk ratings, and vulnerability class definitions, to just name a few. Projects like CPE, CVSS, CWE, and ATT&CK took the role of CVE in their respective fields. They are often not perfect solutions, but do help to introduce a common language."
},
{
- "contentnewsType": "paragraph",
- "content": "Occasionally, customers want to understand the reason why we split or merge entries. We enjoy these exchanges of the philosophical nature of vulnerabilities. There is a lot of room for ideas that can enrich and improve our industry. Some examples are product assignments, version handling, risk ratings, and vulnerability class definitions, to just name a few. Projects like CPE, CVSS, CWE, and ATT&CK took the role of CVE in their respective fields. They are often not perfect solutions, but do help to introduce a common language."
+ "contentnewsType": "paragraph",
+ "content": "Unfortunately, it is often forgotten that vulnerability management is one of the main pillars of cyber security. Perhaps because for some, it might not spark the glamorous appeal of new topics like artificial intelligence and blockchain, but for us it does. Without vulnerability management, there will be no new secure technologies."
},
{
- "contentnewsType": "paragraph",
- "content": "Unfortunately, it is often forgotten that vulnerability management is one of the main pillars of cyber security. Perhaps because for some, it might not spark the glamorous appeal of new topics like artificial intelligence and blockchain, but for us it does. Without vulnerability management, there will be no new secure technologies."
+ "contentnewsType": "paragraph",
+ "content": "
"
+ "contentnewsType": "paragraph",
+ "content": "Our dedicated CNA team supports our data team in processing new submissions and coordinating CVE disclosures. This re-introduced the early challenges of duplicate detection before the CVE era. But we profit from a lot of experience and optimized processes compiled over decades. We are very confident and happy to be a part of something important like the CVE Program."
},
{
- "contentnewsType": "paragraph",
- "content": "Our dedicated CNA team supports our data team in processing new submissions and coordinating CVE disclosures. This re-introduced the early challenges of duplicate detection before the CVE era. But we profit from a lot of experience and optimized processes compiled over decades. We are very confident and happy to be a part of something important like the CVE Program."
- },
- {
- "contentnewsType": "paragraph",
- "content": "*This paragraph was updated on July 12, 2022 to better clarify VulDB’s CNA scope. Click here to view VulDB’s official scope statement."
- }
- ]
- },
- {
+ "contentnewsType": "paragraph",
+ "content": "*This paragraph was updated on July 12, 2022 to better clarify VulDB’s CNA scope. Click here to view VulDB’s official scope statement."
+ }
+ ]
+ },
+ {
"id": 85,
"newsType": "news",
"title": "HYPR Added as CVE Numbering Authority (CNA)",
@@ -10484,7 +10976,7 @@
{
"contentnewsType": "paragraph",
"content": "GE (Gas Power)’s Root is the CISA ICS Top-Level Root."
- },
+ },
{
"contentnewsType": "paragraph",
"content": "To request a CVE ID number from a CNA, visit Request a CVE ID."
@@ -10508,7 +11000,7 @@
{
"contentnewsType": "paragraph",
"content": "OpenAnolis’ Root is the MITRE Top-Level Root."
- },
+ },
{
"contentnewsType": "paragraph",
"content": "To request a CVE ID number from a CNA, visit Request a CVE ID."
@@ -10532,7 +11024,7 @@
{
"contentnewsType": "paragraph",
"content": "ZUSO ART’s Root is the MITRE Top-Level Root."
- },
+ },
{
"contentnewsType": "paragraph",
"content": "To request a CVE ID number from a CNA, visit Request a CVE ID."
@@ -10622,7 +11114,7 @@
"content": "The CVE Board held a teleconference meeting on March 30, 2022. Read the meeting minutes."
},
{
- "contentnewsType": "paragraph",
+ "contentnewsType": "paragraph",
"content": "The CVE Board is the organization responsible for the strategic direction, governance, operational structure, policies, and rules of the CVE Program. The Board includes members from numerous cybersecurity-related organizations including commercial security tool vendors, academia, research institutions, government departments and agencies, and other prominent security experts, as well as end-users of vulnerability information."
}
]
@@ -10644,7 +11136,7 @@
{
"contentnewsType": "paragraph",
"content": "Medtronic’s Root is the CISA ICS Top-Level Root."
- },
+ },
{
"contentnewsType": "paragraph",
"content": "To request a CVE ID number from a CNA, visit Request a CVE ID."
@@ -10658,7 +11150,7 @@
"date": "2022-03-22",
"description": [
{
- "contentnewsType": "paragraph",
+ "contentnewsType": "paragraph",
"content": "A CVE Program Automation Website is now available as a resource for CVE Numbering Authorities (CNAs) to stay informed about CVE Program automation efforts, especially the upcoming transition to CVE Services 2.1 and CVE JSON 5.0. This is the initial launch version of the website, which will be built out with additional information over time."
},
{
@@ -10682,7 +11174,7 @@
"content": "The CVE Board held a teleconference meeting on March 16, 2022. Read the meeting minutes."
},
{
- "contentnewsType": "paragraph",
+ "contentnewsType": "paragraph",
"content": "The CVE Board is the organization responsible for the strategic direction, governance, operational structure, policies, and rules of the CVE Program. The Board includes members from numerous cybersecurity-related organizations including commercial security tool vendors, academia, research institutions, government departments and agencies, and other prominent security experts, as well as end-users of vulnerability information."
}
]
@@ -10704,7 +11196,7 @@
{
"contentnewsType": "paragraph",
"content": "JetBrains’ Root is the MITRE Top-Level Root."
- },
+ },
{
"contentnewsType": "paragraph",
"content": "To request a CVE ID number from a CNA, visit Request a CVE ID."
@@ -10722,7 +11214,7 @@
"content": "The CVE Board held a teleconference meeting on March 2, 2022. Read the meeting minutes."
},
{
- "contentnewsType": "paragraph",
+ "contentnewsType": "paragraph",
"content": "The CVE Board is the organization responsible for the strategic direction, governance, operational structure, policies, and rules of the CVE Program. The Board includes members from numerous cybersecurity-related organizations including commercial security tool vendors, academia, research institutions, government departments and agencies, and other prominent security experts, as well as end-users of vulnerability information."
}
]
@@ -10744,7 +11236,7 @@
{
"contentnewsType": "paragraph",
"content": "Citrix’s Root is the MITRE Top-Level Root."
- },
+ },
{
"contentnewsType": "paragraph",
"content": "To request a CVE ID number from a CNA, visit Request a CVE ID."
@@ -10762,7 +11254,7 @@
"content": "The CVE Board held a teleconference meeting on February 16, 2022. Read the meeting minutes."
},
{
- "contentnewsType": "paragraph",
+ "contentnewsType": "paragraph",
"content": "The CVE Board is the organization responsible for the strategic direction, governance, operational structure, policies, and rules of the CVE Program. The Board includes members from numerous cybersecurity-related organizations including commercial security tool vendors, academia, research institutions, government departments and agencies, and other prominent security experts, as well as end-users of vulnerability information."
}
]
@@ -10804,199 +11296,219 @@
},
"title": "",
"bio": ""
- },
+ },
"description": [
- {
- "contentnewsType": "paragraph",
- "content": "The CVE Program’s quarterly calendar year (CY) summary of program milestones and metrics for Q4 CY 2021."
- },
- {
- "contentnewsType": "paragraph",
- "content": "
"
- },
- {
- "contentnewsType": "paragraph",
- "content": "On November 16, 2021, the CVE Program surpassed a major milestone of 200+ organizations from 32 countries partnering with the program. Partners include CNAs that assign CVE IDs and publish CVE Records within a specific scope, CNAs of Last Resort (CNA-LRs) that assign CVE IDs to vulnerabilities and publish CVE Records not covered by the scope of another CNA, as well Top-Level Roots and Roots that manage CNAs within a given domain or community. From 2016 through November 16, 2021, 178 partners from around the world joined the program. For the most up-to-date partner data, visit program growth."
- },
- {
- "contentnewsType": "paragraph",
- "content": "
CVE Services 2.x Workshop for CNAs on October 26
"
- },
- {
- "contentnewsType": "paragraph",
- "content": "Discussion topics for the “CVE Services 2.x Workshop” that was held on October 26 the second of three planned CVE Services workshops included the latest updates on the CVE Services; CVE JSON 5.0 and how to construct the JSON; the free CVE Services API for using the services that was developed and contributed by Red Hat; Vulnogram, the free online tool for CNAs; and a Q/A."
- },
- {
- "contentnewsType": "paragraph",
- "content": "
CVE Global Summit Fall 2021
"
- },
- {
- "contentnewsType": "paragraph",
- "content": "On October 26-27, members of the CVE community gathered together virtually for the “CVE Global Summit Fall 2021” to discuss CVE and cybersecurity, best practices, lessons learned, new opportunities, and more. Held twice per year, the summit is a way for CVE community members to regularly collaborate on specific topics in a focused manner. Session topics at the fall summit included an Introduction and State of the CVE Program; CNA Workshop: “CVE Services 2.x for End Users”; Enabling the Future for the CVE Program, about the longer-term goals of automation and how it enables the federated CVE model’s operations; the upcoming CVE Authorized Data Publisher (ADP) Pilot; a CVE Program Listening Session focused on CNAs; a Top-Level Roots and Roots Discussion Panel; Working Group Progress and Highlights; and an open discussion on program topics of concern to the assembled CNAs."
- },
- {
- "contentnewsType": "paragraph",
- "content": "
Three “We Speak CVE” Podcast Episodes Published
"
- },
- {
- "contentnewsType": "paragraph",
- "content": "In December, “Enhancing CVE Records as an Authorized Data Publisher” discusses how the CVE Program’s upcoming release of JSON 5.0 will allow for additional and related information to be added to CVE Records after they have been published by CNAs, and how these additions e.g., risk scores, affected product lists, versions, references, translations, etc.) will be made by “Authorized Data Publishers (ADPs),” which will be organizations authorized within the CVE Program to enrich the records. In November, “How Red Hat’s Active Participation Helps Improve the CVE Program” provided insight into the many benefits of actively participating as a member of the CVE community, especially in the CVE Working Groups, in order to directly impact automation and the strategic direction of CVE. In October, three CVE Board members provide the truth and facts about four myths about the CVE Program in “CVE Myths versus Facts.”"
- },
- {
- "contentnewsType": "paragraph",
- "content": "
Two “Our CVE Story” Articles Published on CVE Blog
"
- },
- {
- "contentnewsType": "paragraph",
- "content": "In the “Our CVE Story” series, CNAs tell the CVE Program story from their unique perspective. In December, “Our CVE Story: CERT@VDE” was contributed by Jochen Becker of CERT@VDE. In October, “Our CVE Story: Becoming a CNA from an Industrial Vendor’s View” was contributed by Klaus Lukas of Siemens."
- },
- {
- "contentnewsType": "paragraph",
- "content": "
"
- },
- {
- "contentnewsType": "paragraph",
- "content": "Metrics for Q4 CY 2021 Published CVE Records and Reserved CVE IDs are included below. Annual metrics are also included in the charts for year-to-year comparisons."
- },
- {
- "contentnewsType": "paragraph",
- "content": "Terminology
Published: When a CNA populates the data associated with a CVE ID as a CVE Record, the state of the CVE Record is Published. The associated data must contain an identification number (CVE ID), a prose description, and at least one public reference.
Reserved: The initial state for a CVE Record; when the associated CVE ID is Reserved by a CNA.
"
- },
- {
- "contentnewsType": "paragraph",
- "content": "As shown in the table below, CVE Program production was 5,200 CVE Records for CY Q4 2021. This is a 16% increase over the same quarter last year CY Q4 2020. This includes all CVE Records published by all CNAs and the two CNA-LRs."
- },
- {
- "contentnewsType": "table",
- "title": "",
- "year": "2021",
- "quarter": [ "Q1", "Q2", "Q3", "Q4"],
- "dataRowTitle": "CVE Records Published by All CNAs",
- "dataRowCounts": ["4,415", "5,005", "5,541", "5,200"]
- },
- {
- "contentnewsType": "paragraph",
- "content": " "
- },
- {
- "contentnewsType": "image",
- "imageWidth": "",
- "href": "/news/cveProgramReport/publishedCVERecordsAllYearsQ4CY2021.png",
- "altText": "Comparison of published CVE Records by year for all years by all CNAs and CNA-LRs (figure 1).",
- "captionText": "Comparison of published CVE Records by year from 2017-2021 by all CNAs and CNA-LRs (figure 1). View as a table on the Metrics page."
- },
- {
- "contentnewsType": "paragraph",
- "content": "
Reserved CVE IDs
"
- },
- {
- "contentnewsType": "paragraph",
- "content": "The CVE Program tracks reserved CVE IDs. As shown in the table below, 6,802 CVE IDs were in the “Reserved” state in Q4 CY 2021, an 11% increase over the previous quarter. This includes all CVE IDs reserved by all CNAs and the two CNA-LRs."
- },
- {
- "contentnewsType": "table",
- "title": "",
- "year": "2021",
- "quarter": [ "Q1", "Q2", "Q3", "Q4"],
- "dataRowTitle": "CVE IDs Reserved by All CNAs",
- "dataRowCounts": ["9,196", "6,451", "6,057", "6,802"]
- },
- {
- "contentnewsType": "paragraph",
- "content": " "
- },
- {
- "contentnewsType": "image",
- "imageWidth": "",
- "href": "/news/cveProgramReport/reservedCVEIDsAllYearsQ4CY2021.png",
- "altText": "Comparison of reserved CVE IDs by year for all years by all CNAs and CNA-LRs (figure 2).",
- "captionText": "Comparison of reserved CVE IDs by year from 2017-2021 by all CNAs and CNA-LRs (figure 2). View as a table on the Metrics page."
- },
- {
- "contentnewsType": "paragraph",
- "content": "
All CVE IDs Are Assigned by CNAs
"
- },
- {
- "contentnewsType": "paragraph",
- "content": "All of the CVE IDs cited in the metrics above are assigned by CNAs and the two CNA-LRs. CNAs are software vendors, open-source projects, coordination centers, bug bounty service providers, hosted services, and research groups and individuals authorized by the CVE Program to assign CVE IDs to vulnerabilities and publish CVE Records within their own specific scopes of coverage. CNA-LRs are established by their Top-Level Roots and assign CVE IDs and publish CVE Records for vulnerabilities that are not covered by the scope of another CNA."
- },
- {
- "contentnewsType": "paragraph",
- "content": "CNAs join the program from a variety of business sectors; there are minimal requirements, and there is no monetary fee or contract to sign."
- },
- {
- "contentnewsType": "paragraph",
- "content": "Currently, 211 organizations from 33 countries have partnered with the CVE Program. Learn how to become a CNA or contact a Root (INCIBE or JPCERT/CC) or Top-Level Root (CISA ICS or MITRE) to start the partnering process today."
- },
- {
- "contentnewsType": "paragraph",
- "content": "
Comments or Questions?
"
- },
- {
- "contentnewsType": "paragraph",
- "content": "If you have any questions about this article, please comment on the CVE Blog on Medium or use the CVE Program Request forms and select “Other” from the dropdown menu."
- },
- {
- "contentnewsType": "paragraph",
- "content": "We look forward to hearing from you, but more importantly, we look forward to your participation in the CVE Program!"
- }
- ]
+ {
+ "contentnewsType": "paragraph",
+ "content": "The CVE Program’s quarterly calendar year (CY) summary of program milestones and metrics for Q4 CY 2021."
+ },
+ {
+ "contentnewsType": "paragraph",
+ "content": "
"
+ },
+ {
+ "contentnewsType": "paragraph",
+ "content": "On November 16, 2021, the CVE Program surpassed a major milestone of 200+ organizations from 32 countries partnering with the program. Partners include CNAs that assign CVE IDs and publish CVE Records within a specific scope, CNAs of Last Resort (CNA-LRs) that assign CVE IDs to vulnerabilities and publish CVE Records not covered by the scope of another CNA, as well Top-Level Roots and Roots that manage CNAs within a given domain or community. From 2016 through November 16, 2021, 178 partners from around the world joined the program. For the most up-to-date partner data, visit program growth."
+ },
+ {
+ "contentnewsType": "paragraph",
+ "content": "
CVE Services 2.x Workshop for CNAs on October 26
"
+ },
+ {
+ "contentnewsType": "paragraph",
+ "content": "Discussion topics for the “CVE Services 2.x Workshop” that was held on October 26 the second of three planned CVE Services workshops included the latest updates on the CVE Services; CVE JSON 5.0 and how to construct the JSON; the free CVE Services API for using the services that was developed and contributed by Red Hat; Vulnogram, the free online tool for CNAs; and a Q/A."
+ },
+ {
+ "contentnewsType": "paragraph",
+ "content": "
CVE Global Summit Fall 2021
"
+ },
+ {
+ "contentnewsType": "paragraph",
+ "content": "On October 26-27, members of the CVE community gathered together virtually for the “CVE Global Summit Fall 2021” to discuss CVE and cybersecurity, best practices, lessons learned, new opportunities, and more. Held twice per year, the summit is a way for CVE community members to regularly collaborate on specific topics in a focused manner. Session topics at the fall summit included an Introduction and State of the CVE Program; CNA Workshop: “CVE Services 2.x for End Users”; Enabling the Future for the CVE Program, about the longer-term goals of automation and how it enables the federated CVE model’s operations; the upcoming CVE Authorized Data Publisher (ADP) Pilot; a CVE Program Listening Session focused on CNAs; a Top-Level Roots and Roots Discussion Panel; Working Group Progress and Highlights; and an open discussion on program topics of concern to the assembled CNAs."
+ },
+ {
+ "contentnewsType": "paragraph",
+ "content": "
Three “We Speak CVE” Podcast Episodes Published
"
+ },
+ {
+ "contentnewsType": "paragraph",
+ "content": "In December, “Enhancing CVE Records as an Authorized Data Publisher” discusses how the CVE Program’s upcoming release of JSON 5.0 will allow for additional and related information to be added to CVE Records after they have been published by CNAs, and how these additions e.g., risk scores, affected product lists, versions, references, translations, etc.) will be made by “Authorized Data Publishers (ADPs),” which will be organizations authorized within the CVE Program to enrich the records. In November, “How Red Hat’s Active Participation Helps Improve the CVE Program” provided insight into the many benefits of actively participating as a member of the CVE community, especially in the CVE Working Groups, in order to directly impact automation and the strategic direction of CVE. In October, three CVE Board members provide the truth and facts about four myths about the CVE Program in “CVE Myths versus Facts.”"
+ },
+ {
+ "contentnewsType": "paragraph",
+ "content": "
Two “Our CVE Story” Articles Published on CVE Blog
"
+ },
+ {
+ "contentnewsType": "paragraph",
+ "content": "In the “Our CVE Story” series, CNAs tell the CVE Program story from their unique perspective. In December, “Our CVE Story: CERT@VDE” was contributed by Jochen Becker of CERT@VDE. In October, “Our CVE Story: Becoming a CNA from an Industrial Vendor’s View” was contributed by Klaus Lukas of Siemens."
+ },
+ {
+ "contentnewsType": "paragraph",
+ "content": "
"
+ },
+ {
+ "contentnewsType": "paragraph",
+ "content": "Metrics for Q4 CY 2021 Published CVE Records and Reserved CVE IDs are included below. Annual metrics are also included in the charts for year-to-year comparisons."
+ },
+ {
+ "contentnewsType": "paragraph",
+ "content": "Terminology
Published: When a CNA populates the data associated with a CVE ID as a CVE Record, the state of the CVE Record is Published. The associated data must contain an identification number (CVE ID), a prose description, and at least one public reference.
Reserved: The initial state for a CVE Record; when the associated CVE ID is Reserved by a CNA.
"
+ },
+ {
+ "contentnewsType": "paragraph",
+ "content": "As shown in the table below, CVE Program production was 5,200 CVE Records for CY Q4 2021. This is a 16% increase over the same quarter last year CY Q4 2020. This includes all CVE Records published by all CNAs and the two CNA-LRs."
+ },
+ {
+ "contentnewsType": "table",
+ "title": "",
+ "year": "2021",
+ "quarter": [
+ "Q1",
+ "Q2",
+ "Q3",
+ "Q4"
+ ],
+ "dataRowTitle": "CVE Records Published by All CNAs",
+ "dataRowCounts": [
+ "4,415",
+ "5,005",
+ "5,541",
+ "5,200"
+ ]
+ },
+ {
+ "contentnewsType": "paragraph",
+ "content": " "
+ },
+ {
+ "contentnewsType": "image",
+ "imageWidth": "",
+ "href": "/news/cveProgramReport/publishedCVERecordsAllYearsQ4CY2021.png",
+ "altText": "Comparison of published CVE Records by year for all years by all CNAs and CNA-LRs (figure 1).",
+ "captionText": "Comparison of published CVE Records by year from 2017-2021 by all CNAs and CNA-LRs (figure 1). View as a table on the Metrics page."
+ },
+ {
+ "contentnewsType": "paragraph",
+ "content": "
Reserved CVE IDs
"
+ },
+ {
+ "contentnewsType": "paragraph",
+ "content": "The CVE Program tracks reserved CVE IDs. As shown in the table below, 6,802 CVE IDs were in the “Reserved” state in Q4 CY 2021, an 11% increase over the previous quarter. This includes all CVE IDs reserved by all CNAs and the two CNA-LRs."
+ },
+ {
+ "contentnewsType": "table",
+ "title": "",
+ "year": "2021",
+ "quarter": [
+ "Q1",
+ "Q2",
+ "Q3",
+ "Q4"
+ ],
+ "dataRowTitle": "CVE IDs Reserved by All CNAs",
+ "dataRowCounts": [
+ "9,196",
+ "6,451",
+ "6,057",
+ "6,802"
+ ]
+ },
+ {
+ "contentnewsType": "paragraph",
+ "content": " "
+ },
+ {
+ "contentnewsType": "image",
+ "imageWidth": "",
+ "href": "/news/cveProgramReport/reservedCVEIDsAllYearsQ4CY2021.png",
+ "altText": "Comparison of reserved CVE IDs by year for all years by all CNAs and CNA-LRs (figure 2).",
+ "captionText": "Comparison of reserved CVE IDs by year from 2017-2021 by all CNAs and CNA-LRs (figure 2). View as a table on the Metrics page."
+ },
+ {
+ "contentnewsType": "paragraph",
+ "content": "
All CVE IDs Are Assigned by CNAs
"
+ },
+ {
+ "contentnewsType": "paragraph",
+ "content": "All of the CVE IDs cited in the metrics above are assigned by CNAs and the two CNA-LRs. CNAs are software vendors, open-source projects, coordination centers, bug bounty service providers, hosted services, and research groups and individuals authorized by the CVE Program to assign CVE IDs to vulnerabilities and publish CVE Records within their own specific scopes of coverage. CNA-LRs are established by their Top-Level Roots and assign CVE IDs and publish CVE Records for vulnerabilities that are not covered by the scope of another CNA."
+ },
+ {
+ "contentnewsType": "paragraph",
+ "content": "CNAs join the program from a variety of business sectors; there are minimal requirements, and there is no monetary fee or contract to sign."
+ },
+ {
+ "contentnewsType": "paragraph",
+ "content": "Currently, 211 organizations from 33 countries have partnered with the CVE Program. Learn how to become a CNA or contact a Root (INCIBE or JPCERT/CC) or Top-Level Root (CISA ICS or MITRE) to start the partnering process today."
+ },
+ {
+ "contentnewsType": "paragraph",
+ "content": "
Comments or Questions?
"
+ },
+ {
+ "contentnewsType": "paragraph",
+ "content": "If you have any questions about this article, please comment on the CVE Blog on Medium or use the CVE Program Request forms and select “Other” from the dropdown menu."
+ },
+ {
+ "contentnewsType": "paragraph",
+ "content": "We look forward to hearing from you, but more importantly, we look forward to your participation in the CVE Program!"
+ }
+ ]
},
{
"id": 65,
@@ -11009,7 +11521,7 @@
"content": "The CVE Board held a teleconference meeting on February 2, 2022. Read the meeting minutes."
},
{
- "contentnewsType": "paragraph",
+ "contentnewsType": "paragraph",
"content": "The CVE Board is the organization responsible for the strategic direction, governance, operational structure, policies, and rules of the CVE Program. The Board includes members from numerous cybersecurity-related organizations including commercial security tool vendors, academia, research institutions, government departments and agencies, and other prominent security experts, as well as end-users of vulnerability information."
}
]
@@ -11031,7 +11543,7 @@
{
"contentnewsType": "paragraph",
"content": "DIVD’s Root is the MITRE Top-Level Root."
- },
+ },
{
"contentnewsType": "paragraph",
"content": "To request a CVE ID number from a CNA, visit Request a CVE ID."
@@ -11051,10 +11563,10 @@
},
"title": "",
"bio": ""
- },
+ },
"description": [
{
- "contentnewsType": "paragraph",
+ "contentnewsType": "paragraph",
"content": "The CVE® Program is expanding its partnership with Google for managing the assignment of CVE Identifiers (CVE IDs) for the CVE Program."
},
{
@@ -11098,7 +11610,7 @@
"content": "The CVE Board held a teleconference meeting on January 19, 2022. Read the meeting minutes."
},
{
- "contentnewsType": "paragraph",
+ "contentnewsType": "paragraph",
"content": "The CVE Board is the organization responsible for the strategic direction, governance, operational structure, policies, and rules of the CVE Program. The Board includes members from numerous cybersecurity-related organizations including commercial security tool vendors, academia, research institutions, government departments and agencies, and other prominent security experts, as well as end-users of vulnerability information."
}
]
@@ -11116,7 +11628,7 @@
},
"title": "",
"bio": ""
- },
+ },
"description": [
{
"contentnewsType": "paragraph",
@@ -11171,7 +11683,7 @@
"content": "The CVE Board held a teleconference meeting on January 5, 2022. Read the meeting minutes."
},
{
- "contentnewsType": "paragraph",
+ "contentnewsType": "paragraph",
"content": "The CVE Board is the organization responsible for the strategic direction, governance, operational structure, policies, and rules of the CVE Program. The Board includes members from numerous cybersecurity-related organizations including commercial security tool vendors, academia, research institutions, government departments and agencies, and other prominent security experts, as well as end-users of vulnerability information."
}
]
@@ -11411,7 +11923,7 @@
"content": "Mirantis’ Root is the MITRE Top-Level Root."
},
{
- "contentnewsType": "paragraph",
+ "contentnewsType": "paragraph",
"content": "To request a CVE ID number from a CNA, visit Request a CVE ID."
}
]
@@ -11453,11 +11965,11 @@
},
"description": [
{
- "contentnewsType": "paragraph",
+ "contentnewsType": "paragraph",
"content": "Guest author Jochen Becker is Information Security Manager at CERT@VDE, and CERT@VDE is a CVE Numbering Authority (CNA)."
},
{
- "contentnewsType": "paragraph",
+ "contentnewsType": "paragraph",
"content": "CERT@VDE is a neutral, independent platform for European vendors of industrial control systems (ICS)/operational technology (OT) devices and/or software. With 20 vendors as partners, CERT@VDE tries to lower the barriers of responsible disclosure processes and establish a community for cybersecurity knowledge exchange within the European ICS industry. CERT@VDE is part of the non-profit VDE focused on science and technology and is the German member of International Electrotechnical Commission (IEC) and European Committee for Electrotechnical Standardization (CENELEC)."
},
{
@@ -11513,7 +12025,7 @@
"content": "TeamViewer’s Root is the MITRE Top-Level Root."
},
{
- "contentnewsType": "paragraph",
+ "contentnewsType": "paragraph",
"content": "To request a CVE ID number from a CNA, visit Request a CVE ID."
}
]
@@ -11535,7 +12047,7 @@
{
"contentnewsType": "paragraph",
"content": "Profelis’ Root is the MITRE Top-Level Root."
- },
+ },
{
"contentnewsType": "paragraph",
"content": "To request a CVE ID number from a CNA, visit Request a CVE ID."
@@ -11555,7 +12067,7 @@
},
"title": "",
"bio": ""
- },
+ },
"description": [
{
"contentnewsType": "paragraph",
@@ -11628,13 +12140,13 @@
{
"contentnewsType": "paragraph",
"content": "Panasonic Corporation’s Root is the JPCERT/CC Root."
- },
+ },
{
"contentnewsType": "paragraph",
"content": "To request a CVE ID number from a CNA, visit Request a CVE ID."
}
]
- },
+ },
{
"id": 46,
"newsType": "news",
@@ -11652,7 +12164,7 @@
{
"contentnewsType": "paragraph",
"content": "ZGR’s Root is the Spanish National Cybersecurity Institute (INCIBE) Root."
- },
+ },
{
"contentnewsType": "paragraph",
"content": "To request a CVE ID number from a CNA, visit Request a CVE ID."
@@ -11692,10 +12204,10 @@
},
{
"contentnewsType": "paragraph",
- "content": "Please visit CNA Onboarding to view the onboarding videos and for the English and Japanese versions of the slides."
- },
+ "content": "Please visit CNA Onboarding to view the onboarding videos and for the English and Japanese versions of the slides."
+ },
{
- "contentnewsType": "paragraph",
+ "contentnewsType": "paragraph",
"content": "To learn more about the CNA program, and the business benefits of partnering with the CVE Program as CNA, visit How to Become a CNA."
}
]
@@ -11711,7 +12223,7 @@
"content": "The CVE Board held a teleconference meeting on November 10, 2021. Read the meeting minutes."
},
{
- "contentnewsType": "paragraph",
+ "contentnewsType": "paragraph",
"content": "The CVE Board is the organization responsible for the strategic direction, governance, operational structure, policies, and rules of the CVE Program. The Board includes members from numerous cybersecurity-related organizations including commercial security tool vendors, academia, research institutions, government departments and agencies, and other prominent security experts, as well as end-users of vulnerability information."
}
]
@@ -11732,8 +12244,8 @@
},
{
"contentnewsType": "paragraph",
- "content": "The CVE Board is the organization responsible for the strategic direction, governance, operational structure, policies, and rules of the CVE Program. The Board includes members from numerous cybersecurity-related organizations including commercial security tool vendors, academia, research institutions, government departments and agencies, and other prominent security experts, as well as end-users of vulnerability information."
- }
+ "content": "The CVE Board is the organization responsible for the strategic direction, governance, operational structure, policies, and rules of the CVE Program. The Board includes members from numerous cybersecurity-related organizations including commercial security tool vendors, academia, research institutions, government departments and agencies, and other prominent security experts, as well as end-users of vulnerability information."
+ }
]
},
{
@@ -11749,12 +12261,12 @@
},
"title": "",
"bio": ""
- },
+ },
"description": [
{
"contentnewsType": "paragraph",
"content": "The CVE Numbering Authority (CNA) program now includes 201 organizations from around the world."
- },
+ },
{
"contentnewsType": "paragraph",
"content": "CNAs are software vendors, open-source projects, coordination centers, bug bounty service providers, hosted services, and research groups authorized by the CVE Program to assign CVE IDs to vulnerabilities and publish CVE Records within their own specific scopes of coverage."
@@ -11865,7 +12377,7 @@
{
"contentnewsType": "paragraph",
"content": "Artica PFMS’s Root is the Spanish National Cybersecurity Institute (INCIBE) Root."
- },
+ },
{
"contentnewsType": "paragraph",
"content": "To request a CVE ID number from a CNA, visit Request a CVE ID."
@@ -11879,7 +12391,7 @@
"date": "2021-11-16",
"description": [
{
- "contentnewsType": "paragraph",
+ "contentnewsType": "paragraph",
"content": "Acronis International GmbH is now a CVE Numbering Authority (CNA) for all Acronis products, including Acronis Cyber Protect, Acronis Cyber Protect Home Office, Acronis DeviceLock DLP, and Acronis Snap Deploy."
},
{
@@ -11889,7 +12401,7 @@
{
"contentnewsType": "paragraph",
"content": "Acronis International’s Root is the MITRE Top-Level Root."
- },
+ },
{
"contentnewsType": "paragraph",
"content": "To request a CVE ID number from a CNA, visit Request a CVE ID."
@@ -11933,7 +12445,7 @@
},
"title": "",
"bio": ""
- },
+ },
"description": [
{
"contentnewsType": "paragraph",
@@ -12027,15 +12539,23 @@
"contentnewsType": "table",
"title": "",
"year": "2021",
- "quarter": [ "Q1", "Q2", "Q3"],
+ "quarter": [
+ "Q1",
+ "Q2",
+ "Q3"
+ ],
"dataRowTitle": "CVE Records Published by All CNAs",
- "dataRowCounts": ["4,415", "4,999", "5,421"]
- },
+ "dataRowCounts": [
+ "4,415",
+ "4,999",
+ "5,421"
+ ]
+ },
{
"contentnewsType": "image",
"imageWidth": "",
"href": "/news/cveProgramReport/publishedCVERecordsAllYearsQ3CY2021.png",
- "altText": "Comparison of published CVE Records by quarter for all years by all CNAs (figure 1).",
+ "altText": "Comparison of published CVE Records by quarter for all years by all CNAs (figure 1).",
"captionText": "Comparison of published CVE Records by year and quarter by all CNAs (figure 1). View as a table on the Metrics page."
},
{
@@ -12050,10 +12570,18 @@
"contentnewsType": "table",
"title": "",
"year": "2021",
- "quarter": [ "Q1", "Q2", "Q3"],
+ "quarter": [
+ "Q1",
+ "Q2",
+ "Q3"
+ ],
"dataRowTitle": "CVE IDs Reserved by All CNAs",
- "dataRowCounts": ["9,196", "6,451", "6,057"]
- },
+ "dataRowCounts": [
+ "9,196",
+ "6,451",
+ "6,057"
+ ]
+ },
{
"contentnewsType": "image",
"imageWidth": "",
@@ -12119,7 +12647,7 @@
{
"contentnewsType": "paragraph",
"content": "AppCheck’s Root is the MITRE Top-Level Root."
- },
+ },
{
"contentnewsType": "paragraph",
"content": "To request a CVE ID number from a CNA, visit Request a CVE ID."
@@ -12143,7 +12671,7 @@
{
"contentnewsType": "paragraph",
"content": "Western Digital’s Root is the MITRE Top-Level Root."
- },
+ },
{
"contentnewsType": "paragraph",
"content": "To request a CVE ID number from a CNA, visit Request a CVE ID."
@@ -12233,7 +12761,7 @@
"content": "The CVE Board held a teleconference meeting on October 13, 2021. Read the meeting minutes."
},
{
- "contentnewsType": "paragraph",
+ "contentnewsType": "paragraph",
"content": "The CVE Board is the organization responsible for the strategic direction, governance, operational structure, policies, and rules of the CVE Program. The Board includes members from numerous cybersecurity-related organizations including commercial security tool vendors, academia, research institutions, government departments and agencies, and other prominent security experts, as well as end-users of vulnerability information."
}
]
@@ -12245,7 +12773,7 @@
"date": "2021-10-19",
"description": [
{
- "contentnewsType": "paragraph",
+ "contentnewsType": "paragraph",
"content": "ForgeRock, Inc. is now a CVE Numbering Authority (CNA) for ForgeRock issues only."
},
{
@@ -12344,7 +12872,7 @@
{
"contentnewsType": "paragraph",
"content": "GovTech CSG’s Root is the MITRE Top-Level Root."
- },
+ },
{
"contentnewsType": "paragraph",
"content": "To request a CVE ID number from a CNA, visit Request a CVE ID."
@@ -12368,7 +12896,7 @@
{
"contentnewsType": "paragraph",
"content": "Thales’ Root is the CISA ICS Top-Level Root."
- },
+ },
{
"contentnewsType": "paragraph",
"content": "To request a CVE ID number from a CNA, visit Request a CVE ID."
@@ -12407,7 +12935,7 @@
"content": "The CVE Board held a teleconference meeting on September 29, 2021. Read the meeting minutes."
},
{
- "contentnewsType": "paragraph",
+ "contentnewsType": "paragraph",
"content": "The CVE Board is the organization responsible for the strategic direction, governance, operational structure, policies, and rules of the CVE Program. The Board includes members from numerous cybersecurity-related organizations including commercial security tool vendors, academia, research institutions, government departments and agencies, and other prominent security experts, as well as end-users of vulnerability information."
}
]
@@ -12429,7 +12957,7 @@
{
"contentnewsType": "paragraph",
"content": "MediaTek’s Root is the MITRE Top-Level Root."
- },
+ },
{
"contentnewsType": "paragraph",
"content": "To request a CVE ID number from a CNA, visit Request a CVE ID."
@@ -12487,7 +13015,7 @@
"content": "NCSC’s Root is the MITRE Top-Level Root."
},
{
- "contentnewsType": "paragraph",
+ "contentnewsType": "paragraph",
"content": "To request a CVE ID number from a CNA, visit Request a CVE ID."
}
]
@@ -12547,7 +13075,7 @@
"date": "2021-09-28",
"description": [
{
- "contentnewsType": "paragraph",
+ "contentnewsType": "paragraph",
"content": "Palantir Technologies is now a CVE Numbering Authority (CNA) for Palantir products and technologies only."
},
{
@@ -12599,59 +13127,59 @@
"content": "The CVE Board held a teleconference meeting on September 15, 2021. Read the meeting minutes."
},
{
- "contentnewsType": "paragraph",
+ "contentnewsType": "paragraph",
"content": "The CVE Board is the organization responsible for the strategic direction, governance, operational structure, policies, and rules of the CVE Program. The Board includes members from numerous cybersecurity-related organizations including commercial security tool vendors, academia, research institutions, government departments and agencies, and other prominent security experts, as well as end-users of vulnerability information."
}
]
},
{
- "id": 14,
- "newsType": "news",
- "title": "LG Electronics Added as CVE Numbering Authority (CNA)",
- "date": "2021-09-14",
- "description": [
- {
- "contentnewsType": "paragraph",
- "content": "LG Electronics is now a CVE Numbering Authority (CNA) for LG Electronics products only."
- },
- {
- "contentnewsType": "paragraph",
- "content": "To date, 184 organizations from 31 countries participate in the CVE Program as CNAs. CNAs are organizations from around the world that are authorized to assign CVE Identifiers (CVE IDs) to vulnerabilities affecting products within their distinct, agreed-upon scope, for inclusion in first-time public announcements of new vulnerabilities."
- },
- {
- "contentnewsType": "paragraph",
- "content": "LG Electronics’ Root is the MITRE Top-Level Root."
- },
- {
- "contentnewsType": "paragraph",
- "content": "To request a CVE ID number from a CNA, visit Request a CVE ID."
- }
- ]
- },
- {
- "id": 13,
- "newsType": "news",
- "title": "Snow Software Added as CVE Numbering Authority (CNA)",
- "date": "2021-09-14",
- "description": [
- {
- "contentnewsType": "paragraph",
- "content": "Snow Software is now a CVE Numbering Authority (CNA) for all Snow Software products."
- },
- {
- "contentnewsType": "paragraph",
- "content": "To date, 183 organizations from 31 countries participate in the CVE Program as CNAs. CNAs are organizations from around the world that are authorized to assign CVE Identifiers (CVE IDs) to vulnerabilities affecting products within their distinct, agreed-upon scope, for inclusion in first-time public announcements of new vulnerabilities."
- },
- {
- "contentnewsType": "paragraph",
- "content": "Snow Software’s Root is the MITRE Top-Level Root."
- },
- {
- "contentnewsType": "paragraph",
- "content": "To request a CVE ID number from a CNA, visit Request a CVE ID."
- }
- ]
- },
+ "id": 14,
+ "newsType": "news",
+ "title": "LG Electronics Added as CVE Numbering Authority (CNA)",
+ "date": "2021-09-14",
+ "description": [
+ {
+ "contentnewsType": "paragraph",
+ "content": "LG Electronics is now a CVE Numbering Authority (CNA) for LG Electronics products only."
+ },
+ {
+ "contentnewsType": "paragraph",
+ "content": "To date, 184 organizations from 31 countries participate in the CVE Program as CNAs. CNAs are organizations from around the world that are authorized to assign CVE Identifiers (CVE IDs) to vulnerabilities affecting products within their distinct, agreed-upon scope, for inclusion in first-time public announcements of new vulnerabilities."
+ },
+ {
+ "contentnewsType": "paragraph",
+ "content": "LG Electronics’ Root is the MITRE Top-Level Root."
+ },
+ {
+ "contentnewsType": "paragraph",
+ "content": "To request a CVE ID number from a CNA, visit Request a CVE ID."
+ }
+ ]
+ },
+ {
+ "id": 13,
+ "newsType": "news",
+ "title": "Snow Software Added as CVE Numbering Authority (CNA)",
+ "date": "2021-09-14",
+ "description": [
+ {
+ "contentnewsType": "paragraph",
+ "content": "Snow Software is now a CVE Numbering Authority (CNA) for all Snow Software products."
+ },
+ {
+ "contentnewsType": "paragraph",
+ "content": "To date, 183 organizations from 31 countries participate in the CVE Program as CNAs. CNAs are organizations from around the world that are authorized to assign CVE Identifiers (CVE IDs) to vulnerabilities affecting products within their distinct, agreed-upon scope, for inclusion in first-time public announcements of new vulnerabilities."
+ },
+ {
+ "contentnewsType": "paragraph",
+ "content": "Snow Software’s Root is the MITRE Top-Level Root."
+ },
+ {
+ "contentnewsType": "paragraph",
+ "content": "To request a CVE ID number from a CNA, visit Request a CVE ID."
+ }
+ ]
+ },
{
"id": 12,
"newsType": "podcast",
@@ -12665,7 +13193,7 @@
{
"contentnewsType": "paragraph",
"content": "The chairs and co-chairs of each WG, each of whom is an active member of the CVE community, chat about their WG’s overall mission, current work, and future plans. Discussion begins with the Transition (TWG), a temporary WG focused on managing the numerous modernization, automation, and process transitions currently underway in the CVE Program. Each of the five main WGs are then discussed in turn: Strategic Planning (SPWG), CNA Coordination (CNACWG), Quality (QWG), Automation (AWG), and Outreach and Communications (OCWG). How and why to participate, and the impact individuals can make on the program, are also included."
- },
+ },
{
"contentnewsType": "paragraph",
"content": "“We Speak CVE” is a free podcast about cybersecurity, vulnerability management, and the CVE Program. Listen as an MP3, on YouTube, and on major podcast directories such as Spotify, Stitcher, Google Podcasts, Apple Podcasts, iHeartRadio, Podcast Addict, Podchaser, Pocket Casts, Deezer, Listen Notes, Player FM, and Podcast Index, among others."
@@ -12684,7 +13212,7 @@
"content": "The CVE Board held a teleconference meeting on September 1, 2021. Read the meeting minutes."
},
{
- "contentnewsType": "paragraph",
+ "contentnewsType": "paragraph",
"content": "The CVE Board is the organization responsible for the strategic direction, governance, operational structure, policies, and rules of the CVE Program. The Board includes members from numerous cybersecurity-related organizations including commercial security tool vendors, academia, research institutions, government departments and agencies, and other prominent security experts, as well as end-users of vulnerability information."
}
]
@@ -12728,7 +13256,7 @@
"content": "To date, 182 organizations from 31 countries participate in the CVE Program as CNAs. CNAs are organizations from around the world that are authorized to assign CVE Identifiers (CVE IDs) to vulnerabilities affecting products within their distinct, agreed-upon scope, for inclusion in first-time public announcements of new vulnerabilities."
},
{
- "contentnewsType": "paragraph",
+ "contentnewsType": "paragraph",
"content": "TR-CERT’s Root is the MITRE Top-Level Root."
},
{
@@ -12755,7 +13283,7 @@
{
"contentnewsType": "paragraph",
"content": "Guest author Rob Cowsley is Cyber Security Architect at Gallagher, and Gallagher is the first New Zealand organization to be authorized as a CVE Numbering Authority (CNA)."
- },
+ },
{
"contentnewsType": "paragraph",
"content": "As a responsible global security manufacturer, Gallagher acknowledges that the solutions we produced a decade ago were at the forefront of their time, but as security technology evolves, new vulnerabilities present themselves, and it’s how we manage these vulnerabilities today that matters most."
@@ -12764,7 +13292,7 @@
"contentnewsType": "paragraph",
"content": "Our continuous improvement mindset, along with a need to streamline and simplify security vulnerability disclosures for the benefit of our customers, inspired our journey to assign CVE IDs to vulnerabilities affecting our product."
},
- {
+ {
"contentnewsType": "paragraph",
"content": "Prior to becoming an authorized CVE Numbering Authority (CNA), Gallagher actively assigned CVE IDs through the MITRE CNA of Last Resort to ensure identified vulnerabilities across Gallagher’s security solutions were disclosed. Now that we have the authority to publish our own security vulnerabilities through the CVE Program as CVE Records, we can better communicate this important information to our customers. Furthermore, it allows us to raise awareness of the work we are doing to improve the security of physical systems in an industry that can sometimes be wary of publicly disclosing a vulnerability."
},
@@ -12840,92 +13368,92 @@
],
"archiveNews": [
{
- "year": "2020",
- "url": "/Resources/Media/Archives/News/2020_News.pdf"
+ "year": "2020",
+ "url": "/Resources/Media/Archives/News/2020_News.pdf"
},
{
- "year": "2019",
- "url": "/Resources/Media/Archives/News/2019_News.pdf"
+ "year": "2019",
+ "url": "/Resources/Media/Archives/News/2019_News.pdf"
},
{
- "year": "2018",
- "url": "/Resources/Media/Archives/News/2018_News.pdf"
+ "year": "2018",
+ "url": "/Resources/Media/Archives/News/2018_News.pdf"
},
{
- "year": "2017",
- "url": "/Resources/Media/Archives/News/2017_News.pdf"
+ "year": "2017",
+ "url": "/Resources/Media/Archives/News/2017_News.pdf"
},
{
- "year": "2016",
- "url": "/Resources/Media/Archives/News/2016_News.pdf"
+ "year": "2016",
+ "url": "/Resources/Media/Archives/News/2016_News.pdf"
},
{
- "year": "2015",
- "url": "/Resources/Media/Archives/News/2015_News.pdf"
+ "year": "2015",
+ "url": "/Resources/Media/Archives/News/2015_News.pdf"
},
{
- "year": "2014",
- "url": "/Resources/Media/Archives/News/2014_News.pdf"
+ "year": "2014",
+ "url": "/Resources/Media/Archives/News/2014_News.pdf"
},
{
- "year": "2013",
- "url": "/Resources/Media/Archives/News/2013_News.pdf"
+ "year": "2013",
+ "url": "/Resources/Media/Archives/News/2013_News.pdf"
},
{
- "year": "2012",
- "url": "/Resources/Media/Archives/News/2012_News.pdf"
+ "year": "2012",
+ "url": "/Resources/Media/Archives/News/2012_News.pdf"
},
{
- "year": "2011",
- "url": "/Resources/Media/Archives/News/2011_News.pdf"
+ "year": "2011",
+ "url": "/Resources/Media/Archives/News/2011_News.pdf"
},
{
- "year": "2010",
- "url": "/Resources/Media/Archives/News/2010_News.pdf"
+ "year": "2010",
+ "url": "/Resources/Media/Archives/News/2010_News.pdf"
},
{
- "year": "2009",
- "url": "/Resources/Media/Archives/News/2009_News.pdf"
+ "year": "2009",
+ "url": "/Resources/Media/Archives/News/2009_News.pdf"
},
{
- "year": "2008",
- "url": "/Resources/Media/Archives/News/2008_News.pdf"
+ "year": "2008",
+ "url": "/Resources/Media/Archives/News/2008_News.pdf"
},
{
- "year": "2007",
- "url": "/Resources/Media/Archives/News/2007_News.pdf"
+ "year": "2007",
+ "url": "/Resources/Media/Archives/News/2007_News.pdf"
},
{
- "year": "2006",
- "url": "/Resources/Media/Archives/News/2006_News.pdf"
+ "year": "2006",
+ "url": "/Resources/Media/Archives/News/2006_News.pdf"
},
{
- "year": "2005",
- "url": "/Resources/Media/Archives/News/2005_News.pdf"
+ "year": "2005",
+ "url": "/Resources/Media/Archives/News/2005_News.pdf"
},
{
- "year": "2004",
- "url": "/Resources/Media/Archives/News/2004_News.pdf"
+ "year": "2004",
+ "url": "/Resources/Media/Archives/News/2004_News.pdf"
},
{
- "year": "2003",
- "url": "/Resources/Media/Archives/News/2003_News.pdf"
+ "year": "2003",
+ "url": "/Resources/Media/Archives/News/2003_News.pdf"
},
{
- "year": "2002",
- "url": "/Resources/Media/Archives/News/2002_News.pdf"
+ "year": "2002",
+ "url": "/Resources/Media/Archives/News/2002_News.pdf"
},
{
- "year": "2001",
- "url": "/Resources/Media/Archives/News/2001_News.pdf"
+ "year": "2001",
+ "url": "/Resources/Media/Archives/News/2001_News.pdf"
},
{
- "year": "2000",
- "url": "/Resources/Media/Archives/News/2000_News.pdf"
+ "year": "2000",
+ "url": "/Resources/Media/Archives/News/2000_News.pdf"
},
{
- "year": "1999",
- "url": "/Resources/Media/Archives/News/1999_News.pdf"
+ "year": "1999",
+ "url": "/Resources/Media/Archives/News/1999_News.pdf"
}
],
"archiveBlogs": [
@@ -13010,7 +13538,7 @@
"content": "Tod also writes about The CNA Mentoring Program on the CVE Blog."
},
{
- "contentnewsType": "paragraph",
+ "contentnewsType": "paragraph",
"content": "“We Speak CVE” is a free podcast about cybersecurity, vulnerability management, and the CVE Program. Listen on the CVE Program Channel on YouTube, on We Speak CVE page on Buzzsprout, and on major podcast directories such as Spotify, Stitcher, Google Podcasts, Apple Podcasts, iHeartRadio, Podcast Addict, Podchaser, Pocket Casts, Deezer, Listen Notes, Player FM, and Podcast Index, among others."
}
],
@@ -13045,7 +13573,7 @@
"urlKeywords": "Managing Modernization and Automation Changes",
"date": "2021-08-24",
"description": [
- {
+ {
"contentnewsType": "paragraph",
"content": "NOTE: Content in this episode is now out of date. Visit the CVE Services page for the most current information.
Kelly Todd of the CVE Program speaks with Lisa Olson of Microsoft about managing the modernization and automation changes currently underway in the CVE Program."
},
@@ -13054,7 +13582,7 @@
"content": "Topics include the efforts of the newly formed CVE Transition Working Group (Lisa, a CVE Board member, is co-chair); automation of CVE ID assignment and CVE Record publishing for CVE Numbering Authorities (CNAs), including the availability of free APIs and other improvements on the way; the upcoming new version release of JSON for the CVE Record format format to enhance the data associated with a record; the upcoming availability of program metrics for the CVE community, as well as customized dashboards for use by CNAs; the upcoming launch of a new and more modern CVE website using a new url, cve.org; among other program improvements. In addition, Lisa discusses the benefits of partnering with the CVE Program as a CNA and of being a member of the global CNA community."
},
{
- "contentnewsType": "paragraph",
+ "contentnewsType": "paragraph",
"content": "“We Speak CVE” is a free podcast about cybersecurity, vulnerability management, and the CVE Program. Listen as an MP3, on YouTube, and on major podcast directories such as Spotify, Stitcher, Google Podcasts, Apple Podcasts, iHeartRadio, Podcast Addict, Podchaser, Pocket Casts, Deezer, Listen Notes, Player FM, and Podcast Index, among others."
}
],
diff --git a/src/views/About/Metrics.vue b/src/views/About/Metrics.vue
index ad66aab0..2a08fe09 100644
--- a/src/views/About/Metrics.vue
+++ b/src/views/About/Metrics.vue
@@ -293,221 +293,226 @@
CNA Enrichment Recognition List
-
Last Updated:
-
-
9front Systems
-
Absolute Software
-
Acronis International GmbH
-
Adobe Systems Incorporated
-
AlgoSec
-
AMI
-
AppCheck Ltd.
-
Arista Networks, Inc.
-
Asea Brown Boveri Ltd.
-
ASR Microelectronics Co., Ltd.
-
Autodesk
-
Automotive Security Research Group (ASRG)
-
Avaya Inc.
-
Baicells Technologies Co., Ltd.
-
Baidu, Inc.
-
Baxter Healthcare
-
Becton, Dickinson and Company (BD)
-
BeyondTrust Inc.
-
Bitdefender
-
BlackBerry
-
Brocade Communications Systems, Inc.
-
Canon EMEA
-
Canon Inc.
-
Canonical Ltd.
-
Carrier Global Corporation
-
Cato Networks
-
CERT.PL
-
CERT@VDE
-
Check Point Software Technologies Ltd.
-
Checkmarx
-
Checkmk GmbH
-
Ciena Corporation
-
cirosec GmbH
-
ClickHouse, Inc.
-
Cloudflare, Inc.
-
Concrete CMS
-
CyberDanube
-
Cybersecurity and Infrastructure Security Agency (CISA) U.S. Civilian Government
-
Dassault Systèmes
-
Dell EMC
-
Dfinity Foundation
-
DirectCyber
-
dotCMS LLC
-
Dragos, Inc.
-
Dutch Institute for Vulnerability Disclosure (DIVD)
-
Eaton
-
Eclipse Foundation
-
ELAN Microelectronics Corp.
-
Elastic
-
EnterpriseDB Corporation
-
Environmental Systems Research Institute, Inc. (Esri)
-
Ericsson
-
ESET, spol. s r.o.
-
EU Agency for Cybersecurity (ENISA)
-
Exodus Intelligence
-
F5 Networks
-
Flexera Software LLC
-
Fluid Attacks
-
Forcepoint
-
ForgeRock, Inc.
-
Fortinet, Inc.
-
Fortra, LLC
-
Gallagher Group Ltd
-
GE Healthcare
-
Gitea Limited
-
GitHub (maintainer security advisories)
-
GitHub Inc, (Products Only)
-
GitLab Inc.
-
Glyph & Cog, LLC
-
Google LLC
-
Grafana Labs
-
Green Rocket Security Inc.
-
Hallo Welt! GmbH
-
Hanwha Vision Co., Ltd.
-
HashiCorp Inc.
-
HeroDevs
-
HiddenLayer, Inc.
-
Hillstone Networks Inc.
-
Hitachi Energy
-
Hitachi Vantara
-
Hitachi, Ltd.
-
Honeywell International Inc.
-
Huawei Technologies
-
HYPR Corp
-
IBM Corporation
-
ICS-CERT
-
IDEMIA
-
Illumio
-
Indian Computer Emergency Response Team (CERT-In)
-
Intel Corporation
-
Israel National Cyber Directorate
-
Ivanti
-
JetBrains s.r.o.
-
Johnson Controls
-
Juniper Networks, Inc.
-
Kaspersky
-
KNIME AG
-
KrCERT/CC
-
Kubernetes
-
Lenovo Group Ltd.
-
Lexmark International Inc.
-
LG Electronics
-
Liferay, Inc.
-
Logitech
-
M-Files Corporation
-
ManageEngine
-
Mattermost, Inc
-
Microchip Technology
-
MIM Software Inc.
-
Mitsubishi Electric Corporation
-
MongoDB
-
Moxa Inc.
-
N-able
-
National Cyber Security Centre - Netherlands (NCSC-NL)
-
National Cyber Security Centre SK-CERT
-
National Instruments
-
Netflix, Inc.
-
Netskope
-
Network Optix
-
NLnet Labs
-
NortonLifeLock Inc
-
Nozomi Networks Inc.
-
Nvidia Corporation
-
Okta
-
ONEKEY GmbH
-
Open Design Alliance
-
Open-Xchange
-
OpenAnolis
-
openEuler
-
OpenHarmony
-
OpenText (formerly Micro Focus)
-
OTRS AG
-
Palantir Technologies
-
Palo Alto Networks
-
Panasonic Holdings Corporation
-
Pandora FMS
-
PaperCut Software Pty Ltd
-
Patchstack OÜ
-
Payara
-
Pegasystems
-
Pentraze Cybersecurity
-
Perforce (formerly Puppet)
-
Ping Identity Corporation
-
PostgreSQL
-
Progress Software Corporation
-
Proofpoint Inc.
-
Protect AI
-
Pure Storage, Inc.
-
QNAP Systems, Inc.
-
Qualcomm, Inc.
-
Qualys, Inc.
-
rami.io GmbH
-
Rapid7, Inc.
-
Red Hat, Inc.
-
Robert Bosch GmbH
-
SailPoint Technologies
-
Samsung TV & Appliance
-
SAP SE
-
SBA Research gGmbH
-
Schneider Electric SE
-
Schweitzer Engineering Laboratories, Inc.
-
Secomea
-
Security Risk Advisors
-
ServiceNow
-
SHENZHEN CoolKit Technology CO., LTD.
-
Siemens
-
Sierra Wireless Inc.
-
Silicon Labs
-
Snow Software
-
Snyk
-
SoftIron
-
SolarWinds
-
Sonatype Inc.
-
Sophos
-
Spanish National Cybersecurity Institute, S.A.
-
Splunk
-
STAR Labs SG Pte. Ltd.
-
Suse
-
Synaptics
-
Synology Inc.
-
Synopsys
-
Talos
-
TeamViewer Germany GmbH
-
Temporal Technologies Inc.
-
Thales Group
-
The Document Foundation
-
The Missing Link Australia (TML)
-
The OpenNMS Group
-
The Tcpdump Group
-
TianoCore.org
-
Tigera
-
Toshiba Corporation
-
TR-CERT (Computer Emergency Response Team of the Republic of Turkey)
-
Trellix
-
TWCERT/CC
-
upKeeper Solutions
-
VulDB
-
VulnCheck
-
WatchGuard Technologies, Inc.
-
Western Digital
-
Wordfence
-
Yandex N.V.
-
Yokogawa Group
-
Yugabyte, Inc.
-
Zabbix
-
Zephyr Project
-
Zero Day Initiative
-
Zoom Video Communications, Inc.
-
Zscaler, Inc.
-
ZTE Corporation
-
ZUSO Advanced Research Team (ZUSO ART)
-
Zyxel Corporation
-
+
Last Updated:
+
+
+
9front Systems
+
Absolute Software
+
Acronis International GmbH
+
Adobe Systems Incorporated
+
AlgoSec
+
AMI
+
AppCheck Ltd.
+
Arista Networks, Inc.
+
Asea Brown Boveri Ltd.
+
ASR Microelectronics Co., Ltd.
+
Autodesk
+
Automotive Security Research Group (ASRG)
+
Avaya Inc.
+
Baicells Technologies Co., Ltd.
+
Baidu, Inc.
+
Baxter Healthcare
+
Becton, Dickinson and Company (BD)
+
BeyondTrust Inc.
+
Bitdefender
+
BlackBerry
+
Brocade Communications Systems, Inc.
+
Canon EMEA
+
Canon Inc.
+
Canonical Ltd.
+
Carrier Global Corporation
+
Cato Networks
+
CERT.PL
+
CERT@VDE
+
Check Point Software Technologies Ltd.
+
Checkmarx
+
Checkmk GmbH
+
Ciena Corporation
+
cirosec GmbH
+
ClickHouse, Inc.
+
Cloudflare, Inc.
+
Concrete CMS
+
CyberDanube
+
Cybersecurity and Infrastructure Security Agency (CISA) U.S. Civilian Government
+
Dassault Systèmes
+
Dell EMC
+
Dfinity Foundation
+
DirectCyber
+
Docker Inc.
+
dotCMS LLC
+
Dragos, Inc.
+
Dutch Institute for Vulnerability Disclosure (DIVD)
+
Eaton
+
Eclipse Foundation
+
ELAN Microelectronics Corp.
+
Elastic
+
EnterpriseDB Corporation
+
Environmental Systems Research Institute, Inc. (Esri)
+
Ericsson
+
ESET, spol. s r.o.
+
EU Agency for Cybersecurity (ENISA)
+
Exodus Intelligence
+
F5 Networks
+
Flexera Software LLC
+
Fluid Attacks
+
Forcepoint
+
ForgeRock, Inc.
+
Fortinet, Inc.
+
Fortra, LLC
+
Gallagher Group Ltd
+
GE Healthcare
+
Gitea Limited
+
GitHub (maintainer security advisories)
+
GitHub Inc, (Products Only)
+
GitLab Inc.
+
Glyph & Cog, LLC
+
Google LLC
+
Grafana Labs
+
Hallo Welt! GmbH
+
Hanwha Vision Co., Ltd.
+
HashiCorp Inc.
+
HeroDevs
+
HiddenLayer, Inc.
+
Hillstone Networks Inc.
+
Hitachi Energy
+
Hitachi Vantara
+
Hitachi, Ltd.
+
Honeywell International Inc.
+
Huawei Technologies
+
HYPR Corp
+
IBM Corporation
+
ICS-CERT
+
IDEMIA
+
Illumio
+
Indian Computer Emergency Response Team (CERT-In)
+
Intel Corporation
+
Israel National Cyber Directorate
+
Ivanti
+
JetBrains s.r.o.
+
Johnson Controls
+
Juniper Networks, Inc.
+
Kaspersky
+
KNIME AG
+
KrCERT/CC
+
Kubernetes
+
Lenovo Group Ltd.
+
Lexmark International Inc.
+
LG Electronics
+
Liferay, Inc.
+
Logitech
+
M-Files Corporation
+
ManageEngine
+
Mattermost, Inc
+
Mautic
+
Microchip Technology
+
Microsoft Corporation
+
Mitsubishi Electric Corporation
+
MongoDB
+
Moxa Inc.
+
N-able
+
National Cyber Security Centre - Netherlands (NCSC-NL)
+
National Cyber Security Centre SK-CERT
+
National Instruments
+
Netflix, Inc.
+
Netskope
+
Network Optix
+
NLnet Labs
+
NortonLifeLock Inc
+
Nozomi Networks Inc.
+
Nvidia Corporation
+
Okta
+
ONEKEY GmbH
+
Open Design Alliance
+
Open-Xchange
+
OpenAnolis
+
openEuler
+
OpenHarmony
+
OpenText (formerly Micro Focus)
+
OTRS AG
+
Palantir Technologies
+
Palo Alto Networks
+
Panasonic Holdings Corporation
+
Pandora FMS
+
PaperCut Software Pty Ltd
+
Patchstack OÜ
+
Payara
+
Pegasystems
+
Pentraze Cybersecurity
+
Perforce (formerly Puppet)
+
Ping Identity Corporation
+
PostgreSQL
+
Progress Software Corporation
+
Proofpoint Inc.
+
Protect AI
+
Pure Storage, Inc.
+
QNAP Systems, Inc.
+
Qualcomm, Inc.
+
Qualys, Inc.
+
rami.io GmbH
+
Rapid7, Inc.
+
Red Hat, Inc.
+
Robert Bosch GmbH
+
Rockwell Automation
+
SailPoint Technologies
+
Samsung TV & Appliance
+
SAP SE
+
SBA Research gGmbH
+
Schneider Electric SE
+
Schweitzer Engineering Laboratories, Inc.
+
Secomea
+
Security Risk Advisors
+
ServiceNow
+
SHENZHEN CoolKit Technology CO., LTD.
+
SICK AG
+
Siemens
+
Sierra Wireless Inc.
+
Silicon Labs
+
Snow Software
+
Snyk
+
SoftIron
+
SolarWinds
+
Sonatype Inc.
+
Sophos
+
Spanish National Cybersecurity Institute, S.A.
+
Splunk
+
STAR Labs SG Pte. Ltd.
+
Synaptics
+
Synology Inc.
+
Synopsys
+
Talos
+
TeamViewer Germany GmbH
+
Temporal Technologies Inc.
+
Tenable Network Security, Inc.
+
Thales Group
+
The Document Foundation
+
The Missing Link Australia (TML)
+
The OpenNMS Group
+
The Tcpdump Group
+
TianoCore.org
+
Tigera
+
Toshiba Corporation
+
TR-CERT (Computer Emergency Response Team of the Republic of Turkey)
+
Trellix
+
TWCERT/CC
+
upKeeper Solutions
+
VulDB
+
VulnCheck
+
WatchGuard Technologies, Inc.
+
Western Digital
+
Wordfence
+
Yandex N.V.
+
Yokogawa Group
+
Yugabyte, Inc.
+
Zabbix
+
Zephyr Project
+
Zero Day Initiative
+
Zoom Video Communications, Inc.
+
Zscaler, Inc.
+
ZTE Corporation
+
ZUSO Advanced Research Team (ZUSO ART)
+
Zyxel Corporation
+
+
diff --git a/src/views/About/RelatedEfforts.vue b/src/views/About/RelatedEfforts.vue
index 0afd99be..d9cbe62b 100644
--- a/src/views/About/RelatedEfforts.vue
+++ b/src/views/About/RelatedEfforts.vue
@@ -20,7 +20,9 @@
CVE List
was launched by
The MITRE Corporation
- as a community effort in 1999. While separate, output from both programs is available to the public and free to use.
+ as a community effort in 1999. The CVE List feeds NVD, which historically has built upon the information included
+ in CVE Records to provide enhanced information for each record in its database. While separate, output from both
+ programs is available to the public and free to use.
diff --git a/src/views/ProgramOrganization/ProgramRelationshipwithPartners.vue b/src/views/ProgramOrganization/ProgramRelationshipwithPartners.vue
index 87ecfc6e..2cef2aa4 100644
--- a/src/views/ProgramOrganization/ProgramRelationshipwithPartners.vue
+++ b/src/views/ProgramOrganization/ProgramRelationshipwithPartners.vue
@@ -74,9 +74,9 @@
NVD
is a vulnerability database operated by the
National Institute of Standards and Technology (NIST).
- The content of
+ The CVE List feeds NVD, which historically has built upon the information included in
CVE Records
- is consumed by NVD.
+ to provide enhanced information for each record in its database.