CVE Announce - February 8, 2024 (opt-in newsletter from the CVE website)
1. 13 Additional Organizations Added as CVE Numbering Authorities (CNAs)
2. Register Now for CVE/FIRST VulnCon 2024 on March 25-27, 2024!
3. Phase 2 of Legacy CVE Download Formats Deprecation Now Underway
4. A Clarification on CVE Records with a DISPUTED Tag
5. CVE Podcast — The Council of Roots
6. Madison Oliver of GitHub Security Lab Joins CVE Board
7. Tod Beardsley of Austin Hackers Anonymous (AHA!) Joins CVE Board
8. Have an Innovative Idea or a New Feature Request to Enhance the CVE Program?
13 Additional Organizations Added as CVE Numbering Authorities (CNAs)
As of January 1, 2024, thirteen (13) additional organizations from around the world have partnered with the program as CNAs. This includes our first-ever CNA partners from Dominican Republic, Greece, and Lithuania!
- ChromeOS Project: Vulnerabilities that are (1) reported to ChromeOS Security, (2) affect ChromeOS device software and hardware, including our open-source dependencies, and (3) are not covered by another CNA’s scope (USA)
- Concrete CMS: Concrete CMS Core versions 8.5 and above (USA)
- curl: All products made and managed by the curl project. This includes curl, libcurl, and trurl (Sweden)
- ELAN Microelectronics Corp.: ELAN issues only (Taiwan)
- Ericsson: Ericsson issues only (Sweden)
- EU Agency for Cybersecurity (ENISA): Vulnerabilities in information technology (IT) products discovered by European Union (EU) Computer Security Incident Response Teams (CSIRTs) or reported to EU CSIRTs for coordinated disclosure, as long as they do not fall under a CNA with a more specific scope (Greece)
- Financial Security Institute (FSI): Vulnerability assignment related to FSI’s vulnerability coordination role in the South Korea financial sector that are not in another CNA’s scope (South Korea)
- GNU C Library: Security issues and vulnerabilities in the GNU C Library (USA)
- Milestone Systems A/S: Supported Milestone XProtect products (Denmark)
- PostgreSQL: postgresql.org/download software and related projects listed at postgresql.org/support/security (Canada)
- Pentraze Cybersecurity: Vulnerabilities in third-party software discovered by Pentraze Cybersecurity that are not in another CNA’s scope (Dominican Republic)
- Sonatype Inc.: All Sonatype products and vulnerabilities in third-party software discovered by Sonatype that are not in another CNA’s scope (USA)
- Teltonika Networks: Teltonika Networks products and services only (Lithuania)
CNAs are organizations from around the world that are authorized to assign CVE IDs to vulnerabilities affecting products within their distinct, agreed-upon scope, for inclusion in first-time public announcements of new vulnerabilities.
There are currently 358 CNAs (356 CNAs and 2 CNA-LRs) from 40 countries and 1 no country affiliation participating in the CVE Program. View the entire list of CNA partners on the CVE website.
Register Now for CVE/FIRST VulnCon 2024 on March 25-27, 2024!
Special Message for CVE Numbering Authorities (CNAs)
CNAs, please note that VulnCon 2024 takes the place of this year’s Spring CVE Global Summit.
VulnCon 2024
The CVE Program and FIRST will co-host VulnCon 2024 at the McKimmon Center in Raleigh, North Carolina, USA, on March 25-27, 2024. In-person and virtual registration is now open on this FIRST web page.
The purpose of VulnCon — which is open to the public — is to collaborate with various vulnerability management and cybersecurity professionals to develop forward leaning ideas that can be taken back to individual programs for action to benefit the vulnerability management ecosystem. A key goal of the conference is to understand what important stakeholders and programs are doing within the vulnerability management ecosystem and best determine how to benefit the ecosystem broadly.
Registration
Registration is now open. Please note that discounted rates are not being offered for this event regardless of membership or speaking status.
- Standard Admission: US $250.00
- Virtual Admission: US $100.00
Registration fees for standard admission include three days of coffee breaks and buffet lunches, one networking reception, and applicable meeting materials.
Register now using FIRST’s Event Registration Form.
Venue
McKimmon Center
North Carolina State University
1101 Gorman St.
Raleigh, North Carolina 27606
USA
Learn More About VulnCon 2024
For most up-to-date information, visit the CVE/FIRST VulnCon 2024 conference page hosted on the FIRST website.
We look forward to seeing you at this first-ever community event and encourage you to register today!
Share this article or comment on Medium:
CVE Website - https://www.cve.org/Media/News/item/blog/2024/02/06/Register-Now-for-CVE-FIRST-VulnCon-2024
CVE on Medium - https://medium.com/@cve_program/register-now-for-cve-first-vulncon-2024-on-march-25-27-2024-f83d2c7f12c9
Phase 2 of Legacy CVE Download Formats Deprecation Now Underway
Phase 2 of the phased deprecation of legacy CVE content download formats (i.e., CSV, HTML, XML, and CVRF) scheduled for the first half of 2024 is underway. In Phase 2, which will occur throughout the month of February 2024, the legacy download formats will only be updated every other week per the phase-out schedule.
The legacy download formats have been replaced by CVE JSON as the only supported format for CVE Records and downloads. See below.
This change was first announced in July 2023 in a CVE Blog article entitled “Legacy CVE Download Formats Will Be Phased Out Beginning January 1, 2024” on the CVE.ORG website and promoted throughout the remainder of 2023 in the CVE Announce email newsletter and on CVE social media. A second blog article, entitled “Deprecation of Legacy CVE Download Formats Now Underway,” was published in January 2024.
Phase-Out Schedule
Phased deprecation means that the frequency of updates to the legacy download formats will be reduced over the coming months until they are no longer updated at the end of June 2024.
To assist consumers with their transition to the new format, the frequency of updates to the legacy download formats are being reduced from daily updates (which ended on December 31, 2023) to updates on the following schedule:
- January 2024: Once per week updates.
- February 2024: Every other week updates.
- March–June 2024: Once per month updates.
- June 30, 2024: Legacy downloads formats no longer updated with new CVE Records.
New Format for CVE Records and Downloads
CVE Downloads in our new official data format for CVE Records, “CVE JSON,” are hosted in the cvelistV5 repository on GitHub.com. Update frequency and other details are available in the repository ReadMe.
CVE JSON is a richer, more structured format for vulnerability identification and description and will provide enhanced information for your customers. The schema for this new format is also available on GitHub.
Who Is Affected?
CVE Numbering Authority (CNA) partners, tool vendors, and other parties that use CVE download files for automation or other purposes should pay particular attention to this change.
Take Action Now!
Product teams and others need to update their tools and processes to the new supported format prior to these legacy format download files no longer being updated after June 30, 2024.
Share this article or comment on Medium:
CVE Website - https://www.cve.org/Media/News/item/blog/2024/02/06/Phase-2-Deprecation-of-Legacy-Downloads-Underway
CVE on Medium - https://www.cve.org/Media/News/item/blog/2024/02/06/Register-Now-for-CVE-FIRST-VulnCon-2024
A Clarification on CVE Records with a DISPUTED Tag
By Shannon Sabens, CrowdStrike, CVE Board Member and CVE Outreach and Communications Working Group (OCWG) Co-Chair
Several years ago, it was clear to the CVE Board that we would need a specific process for the inevitable disputes that may arise around vulnerability reporting. Potential scenarios may be obvious to many, but a basic example would be when a finder reports a potential vulnerability to a vendor/maintainer that agrees a bug exists but disagrees that it’s a potential security hole.
CVE Record Dispute Policy
By publishing the “CVE Record Dispute Policy” in 2022, the CVE Program has aimed to provide an easy pathway to affected parties for disputes resolution that moves up through a CVE Numbering Authority (CNA), Root, Top-Level Root (TL-Root), and Council of Roots (CoR) hierarchy. Note that a “Root” is an organization authorized within the CVE Program that is responsible, within a specific scope, for the recruitment, training, and governance of one or more CNAs. If you are picturing a hierarchy of CNAs that enable the program to scale, then you’ve got it. Roots help new CNAs onboard and support CNAs to follow the rules of the program. When needed, a dispute may be escalated to the CNA’s Root (and upward in the hierarchy, if needed) as detailed in the CVE Record Dispute Policy.
A flow chart of the CVE Record Dispute Policy process is below. A more complete description of the process is included in the policy document here.
Source: https://www.cve.org/Resources/General/Policies/CVE-Record-Dispute-Policy.pdf
DISPUTED Tag Could Be Temporary or Indefinite
It is not possible in all cases for the Root, TL-Root, or CoR to establish who may be correct in such disputes (though a decision by the CoR is final). In such cases, the Program may give the CVE Record a designation of “DISPUTED.”
A “DISPUTED” tag in a CVE Record could be for one (or more) of any number of reasons, for example, questions of accuracy, completeness, or whether the bug in question is, in fact, a security hole at all.
In these instances, it is the Board’s intent — per the CVE Record Dispute Policy — that the Program:
- Will not make a determination as to which party in the dispute is correct.
- Will allow the reader to be informed of a potential vulnerability by adding the DISPUTED tag to the CVE Record in question.
- Will enable the reader (by allowing the record to remain published with the DISPUTED tag) to decide whether the disputed report represents a threat to their his or her organization’s assets.
Recently, we have observed in public discourse some assumptions by the community that the DISPUTED tag is an interim state. However, in some cases, the DISPUTED tag may remain in place indefinitely.
The complete details of the CVE Program’s disputes policy can be found here.
Share this article or comment on Medium:
CVE Website - https://www.cve.org/Media/News/item/blog/2024/01/30/CVE-Records-DISPUTED-Tag-Clarification
CVE on Medium - https://medium.com/@cve_program/a-clarification-on-cve-records-with-a-disputed-tag-27d4c294bb19
CVE Podcast – The Council of Roots
All current CVE Program Top-Level Roots and Roots are represented in this podcast. In addition to host Shannon Sabens of CrowdStrike, speakers include Julia Turkevich of the CISA Top-Level Root and CISA ICS Root, Dave Morse of the MITRE Top-Level Root, Cristian Cadenas Sarmiento of the INCIBE Root, Paul Dev of the Google Root, Tomo Ito of the JPCERT/CC Root, and Yogesh Mittal of the Red Hat Root.
The “We Speak CVE” podcast focuses on cybersecurity, vulnerability management, and the CVE Program.
Share this article or comment on Medium:
CVE Podcast - https://www.cve.org/Media/News/item/podcast/2024/01/30/The-Council-of-Roots
CVE on Medium - https://medium.com/@cve_program/we-speak-cve-podcast-the-council-of-roots-d68c3d7ecc65
Madison Oliver of GitHub Security Lab Joins CVE Board
The CVE Program is pleased to welcome Madison Oliver of GitHub Security Lab as the newest member of the CVE Board. Madison will provide the Board with an open-source community perspective and help enhance collaboration between the CVE Program and that community.
About Madison
She began her engagement with the CVE Program while at CERT/CC by supporting the CERT/CC CVE Numbering Authority (CNA) and participating in many of the working groups. While there, she also coordinated vulnerabilities in high-impact, widely used software and specifications, such as HTTP/2 and Bluetooth, laying the groundwork for impactful contributions to vulnerability disclosure best practices. During her tenure at GitHub, she has been focused on open-source security and has led the response to vulnerabilities such as Log4Shell (CVE-2021-44228) and managed both of GitHub’s CNAs at various points, including one of the highest assigning CNAs in the program.
She loves engaging with the technical community and students and promoting a diverse representation in technical fields. Her prior involvement in relevant Forum of Incident Response and Security Teams (FIRST) working groups and active participation in the Open Source Security Foundation’s (OpenSSF) vulnerability disclosure working group and related special interest groups underscores her continued commitment to industry collaboration. As a former undergraduate cybersecurity adjunct professor at Duquesne University, she contributed to shaping the next generation of cybersecurity professionals. She earned an M.S. in Information Security Policy and Management from CMU, and a B.S. in Security and Risk Analysis from the Pennsylvania State University (PSU). She continues to contribute to academia by serving on the PSU College of Information Sciences and Technology alumni board.
Madison’s multifaceted contributions exemplify her dedication to advancing cybersecurity, fostering community collaboration, and shaping the future of vulnerability disclosure.
About the CVE Board
The CVE Board is the organization responsible for the strategic direction, governance, operational structure, policies, and rules of the CVE Program. The Board includes members from numerous cybersecurity-related organizations including commercial security tool vendors, academia, research institutions, government departments and agencies, and other prominent security experts, as well as end-users of vulnerability information.
Share this article or comment on Medium:
CVE Website - https://www.cve.org/Media/News/item/blog/2024/01/09/Madison-Oliver-GitHub-Security-Lab-CVE-Board
CVE on Medium - https://medium.com/@cve_program/madison-oliver-of-github-security-lab-joins-cve-board-0d170b43b540
Tod Beardsley of Austin Hackers Anonymous (AHA!) Joins CVE Board
The CVE Program is pleased to welcome Tod Beardsley of Austin Hackers Anonymous (AHA!) as the newest member of the CVE Board. Tod is chair of the CVE Numbering Authority Coordination Working Group (CNACWG) and has served multiple terms as the CNA Liaison to the Board.
About Tod
Tod has over 30 years of hands-on security experience, stretching from in-band telephony switching to modern Internet of Things (IoT) implementations. He has held information technology (IT) operations, security, software engineering, and management positions in large organizations such as Rapid7, 3Com, Dell, and Westinghouse, as both an offensive and defensive practitioner.
Tod is a long-term active member of the CVE community. In addition to chairing the CNACWG and serving as CNA Board Liaison, Tod created the CNA Mentoring Program, has led or contributed to numerous CVE- and CNA-oriented workshops, and published “An Inside Look at What Makes the CVE Program Tick” on SCMagazine.
Tod has authored several research papers and hosted the Security Nation podcast. He is a Travis County Election Judge in Texas and an internationally tolerated horror fiction expert.
About the CVE Board
The CVE Board is the organization responsible for the strategic direction, governance, operational structure, policies, and rules of the CVE Program. The Board includes members from numerous cybersecurity-related organizations including commercial security tool vendors, academia, research institutions, government departments and agencies, and other prominent security experts, as well as end-users of vulnerability information.
Share this article or comment on Medium:
CVE Website - https://www.cve.org/Media/News/item/blog/2024/02/06/Tod-Beardsley-Austin-Hackers-Anonymous-CVE-Board
CVE on Medium - https://medium.com/@cve_program/tod-beardsley-of-austin-hackers-anonymous-aha-joins-cve-board-9371bc0df4f6
Have an Innovative Idea or a New Feature Request to Enhance the CVE Program?
The CVE Program welcomes innovative ideas and new feature requests from the community in our CVE Program Ideas repository on GitHub.com. We encourage you to submit any suggestions you may have to enhance the CVE Program and help us better serve the broader community.
Submissions could include programmatic rule/policy suggestions, innovative automation features to support more efficient CVE Record publication and use, or any other ideas you might have.
Please note that this new repository will be used exclusively to receive and manage innovative idea suggestions and new feature requests for the overall CVE Program. It is not meant to replace previously established bug and issue trackers for the CVE Website-, CVE Services-, or CVE JSON 5.0 schema-related issues.
Making a Submission
Follow the steps below to submit your innovative idea or new program feature request on GitHub. You will need a GitHub account to make a submission.
- Navigate to the CVE Program Innovation Ideas and Feature Requests Issues page on GitHub.
- Click the “New Issue” button in the upper-right corner of the page to launch the “CVE Program New Automation Feature Request” page.
- Click the “Get started” button to launch the new issue template.
- In the “Title” field, enter a title that briefly describes your innovative idea or suggested feature.
- In the “Write” field, follow the instructions provided in the template to add more details.
- Once your submission is complete, click the “Submit new issue” button at the bottom of the form.
CVE Program Issue Tracker Template
Important: Please do not select any of the options in the right-hand column next to the form (not shown in above image). Those options will be used by the CVE Program to manage the submissions.
Processing of Submissions
Once your submission is received by the CVE Program, it will be reviewed by the CVE Board (or its designated working group). The disposition of all innovative ideas and new program feature requests can be tracked on the CVE Program Innovative Ideas/Feature Tracker. Questions about this initiative should be sent to the CVE Automation Working Group (AWG) at awg@cve-cwe-programs.groups.io.
We look forward to hearing from you!
Share this article or comment on Medium:
CVE Website - https://www.cve.org/Media/News/item/news/2023/08/29/CVE-Program-Idea-Tracker
CVE on Medium - https://medium.com/@cve_program/have-an-innovative-idea-or-a-new-feature-request-to-enhance-the-cve-program-ead0b7c161e2
Follow us for the latest from CVE:
@CVEnew – X-Twitter feed of the latest CVE Records
@CVEannounce – X-Twitter feed of news and announcements about CVE
@CVE_Program – Mastodon feed of news and announcements about CVE
CVE Program - LinkedIn page
CVE-CWE-CAPEC - LinkedIn showcase page
CVE Blog - CVE website
CVE Blog on Medium - Medium
We Speak CVE - Podcast
CVEProject - GitHub
CVE Program Channel - YouTube
CVE Announce Newsletter - Email
If this newsletter was shared with you, subscribe by sending an email message to LMS@mitre.org with the following text in the SUBJECT of the message: “subscribe cve-announce-list” (do not include the quote marks). You may also subscribe on the CVE website at https://www.cve.org/Media/News/NewsletterSignup. To unsubscribe, send an email message to LMS@mitre.org with the following text in the SUBJECT of the message “signoff cve-announce-list” (do not include the quote marks).
