The effectiveness of a computer-assisted system to deliver an introductory course on educational computing to preservice elementary and early childhood teachers was investigated in this study.Statistical analyses are presented in three tables and a list of 10 references is provided

CVE Announce - November 27, 2024 (opt-in newsletter from the CVE website)

 

 

 

 

 

 

 

 

 


Featured

·       CVE Program Celebrates 25 Years of Impact

·       Chris Turner of NIST Joins the CVE Board as the “NIST CVE Board Liaison”

·       CVE Program Report for Quarter 3 Calendar Year (Q3 CY) 2024

·       31,770 CVE Records Used as Basis for the “2024 CWE Top 25 Most Dangerous Software Weaknesses List”

CVE Numbering Authorities (CNAs)

·       12 Additional Organizations Added as CNAs

·       Vulnerability Data Enrichment for CVE Records: 224 CNAs on the Enrichment Recognition List for November 18, 2024

·       Our CVE Story: Biohacking Village

Community

·       CVE in the News

 

 

Featured

 

 

CVE Program Celebrates 25 Years of Impact


In October, the
Common Vulnerabilities and Exposures (CVE®) Program commemorated its 25th anniversary, marking a quarter-century of enabling coordinated vulnerability management through global collaboration and innovation. Launched in 1999, the CVE Program has transformed the way organizations identify and manage cybersecurity vulnerabilities, enabling stronger defenses against cyber threats. The CVE 25th Anniversary Report is available now on the CVE.ORG website.

 

MITRE presented the original vision for the CVE List in a groundbreaking white paper during the 2nd Workshop on Research with Security Vulnerability Databases. Since then, the CVE Program has evolved into a vital resource for cybersecurity professionals and serves as the backbone for the global vulnerability management ecosystem. The program has seen widespread adoption, with over 400 CVE Numbering Authorities (CNAs) from 40 countries now producing CVE Records which are incorporated countless products and security advisories. From the initial 321 CVE Records in 1999, to over 240,000 in October 2024, CVE serves as a cornerstone for effective vulnerability management worldwide across national vulnerability databases, cybersecurity tool vendors, incident response operations, researchers, and policymakers.

 

“As we reflect on this historic milestone, we recognize the collective efforts of hundreds of organizations and thousands of individuals across our diverse partner community that contributed to making the CVE Program a success,” said Kent Landfield and Lisa Olson speaking on behalf of the CVE Board.

 

“CISA is proud to sponsor the CVE Program. We are committed to working with the CVE Program’s community of international stakeholders to reduce cybersecurity risk by addressing the prevalence and impact of vulnerabilities across enterprises and technologies,” said Sandra Radesky, CISA Associate Director of Vulnerability Management.

 

“The success of the CVE Program is a testament to the power of federation; its collaborative approach brings together experts in industry, government, and academia across the globe to create a common and scalable vulnerability identification standard that provides a foundation for vulnerability management worldwide,” said Yosry Barsoum, Vice President of the Center for Securing the Homeland at MITRE.

 

Looking ahead, the CVE Program is committed to expanding its reach and impact. Its priorities include continuing to increase program adoption and coverage through growing the CNA community in less represented industry sectors, strengthening the connection between the program and its downstream consumers, and further increasing the value and quality of CVE Records through data enrichment.

 

As we reflect on 25 years of achievements, we encourage all cybersecurity professionals, researchers, and partners to engage with the CVE Program and contribute to its ongoing development. Together, we can continue to strengthen the global cybersecurity landscape and address the evolving challenges of our digital world.

 

View the CVE 25th Anniversary Report here.

 

MEDIA COVERAGE:

 

 

Share this CVE article:

https://medium.com/@cve_program/cve-program-celebrates-25-years-of-impact-f8f8c6b28f69 

 

Chris Turner of NIST Joins the CVE Board as the “NIST CVE Board Liaison”


The
CVE Program is pleased to announce that Chris Turner of the National Institute of Standards and Technology (NIST) is the newest member of the CVE Board, serving as the “NIST CVE Board Liaison.”

 

Per the CVE Board Charter, “Section 1.3.3 Organizational Liaison – An Organizational Liaison position allows for tighter partnerships with targeted organizations. This type of role provides the Board with greater flexibility for how external organizations work with the Board and CVE Program governance. There can be one or more organization(s) designated to have a liaison relationship with the Board at any one time. Each Organization with a Liaison position will have a single seat on the Board reserved for the Organizational Liaison representing them. This allows the Board representation from specific organizations as needed. This is a term-limited seat that must be reconfirmed by the Secretariat when the term set expires. The default term, unless specified by the Board during the establishment of the organization’s liaison role, is one year. The Secretariat assures the Organization wishes to continue the Board relationship and that the designated individual is the proper person to fill the role for the organization for the upcoming term. The Organization’s liaison is a voting member of the Board and can serve more than one consecutive term if the Organization desires. This position is a two-way conduit for the Organization to bring things to and from the Board in an official and structured way.”

About Chris Turner

 

Chris Turner is a seasoned professional with over a decade of experience in information security and vulnerability management. Currently, he serves as the Senior Advisor for the U.S. NVD at NIST. Chris is deeply committed to enhancing the accessibility and utility of vulnerability management data, tools, and educational resources.

 

Prior to his current role, Chris was the Lead Vulnerability Analyst for the NVD, where he led efforts to advance the program’s analytical capabilities and fostered significant improvements in the vulnerability management landscape. His extensive knowledge of the vulnerability management ecosystem and its implications for overall cybersecurity makes him a trusted authority in the field

 

Chris’ passion and expertise drive his ongoing contributions to the security community, aiming to create a safer and more resilient digital environment.

About the CVE Board


The
CVE Board is the organization responsible for the strategic direction, governance, operational structure, policies, and rules of the CVE Program. The Board includes members from numerous cybersecurity-related organizations including commercial security tool vendors, academia, research institutions, government departments and agencies, and other prominent security experts, as well as end-users of vulnerability information.


Share or comment on this CVE article on Medium:

https://medium.com/@cve_program/chris-turner-of-nist-joins-the-cve-board-as-the-nist-cve-board-liaison-d23a03dbfa69

 

CVE Program Report for Quarter 3 Calendar Year (Q3 CY) 2024


The CVE Program’s quarterly summary of program milestones and metrics for Q3 CY 2024.

 

Q3 CY 2024 Milestones

 

Twenty-Four CVE Numbering Authorities (CNAs) Added

 

The twenty-four (24) new CNAs added this quarter are listed below under their Top-Level Root (TL-Root) or Root. Scope of coverage is described next to their organization name.

 

Cybersecurity and Infrastructure Security Agency (CISA) Industrial Control Systems (ICS) Root:

 

  • ASUSTeK Computer Incorporation - ASUS issues only (Taiwan)
  • Cytiva - Cytiva branded products only (USA)
  • Pall Corporation - Pall branded products only (USA)
  • Stryker Corporation - All products of Stryker or a Stryker company including end-of-life/end-of-service products, and vulnerabilities in third-party software used in Stryker products that are not in another CNA’s scope (USA)

 

MITRE TL-Root:

 

  • Amazon - All Amazon and AWS products (including subsidiaries, supported, and EOL/EOS products), as well as vulnerabilities in third party software discovered by Amazon/AWS that are not in another CNA’s scope (USA)
  • Arxscan, Inc. - Arxscan issues only (USA)
  • Cato Networks - All Cato Networks products and vulnerabilities in third-party products affecting Cato products unless covered by the scope of another CNA (Israel)
  • Forescout Technologies - Forescout issues only (USA)
  • Huntress Labs Inc. - All Huntress products, as well as vulnerabilities in third-party software discovered by Huntress that are not in another CNA’s scope (USA)
  • Imagination Technologies - Imagination Technologies branded products and technologies and Imagination Technologies (IMG) managed open source projects (UK)
  • Intigriti - Vulnerabilities in Intigriti products and vulnerabilities discovered by, or reported to, Intigriti that are not in another CNA’s scope (Belgium)
  • Ivanti - Vulnerabilities in supported Ivanti products and infrastructure, excluding third-party components, and meeting severity thresholds defined in Ivanti’s Disclosure Policy found here (USA)
  • Kong Inc. - Kong products; Kong Konnect, Kong Enterprise, Kong Mesh, and Kong Insomnia, including Kong Opensource; Kong Gateway, Kuma, Insomnia (USA)
  • Leica Microsystems - Leica Microsystems products as listed on https://www.leica-microsystems.com/products (Germany)
  • Monash University - Cyber Security Incident Response Team - Vulnerabilities in any Monash University developed products, or vulnerabilities identified in third-party vendor products used by Monash University, unless covered by the scope of another CNA (Australia)
  • PlexTrac, Inc. - Vulnerabilities within PlexTrac’s products (USA)
  • Proton AG - Proton AG issues only (Switzerland)
  • RealPage - Vulnerabilities in RealPage products and services including but not limited to: Keyready, Knock CRM, HomeWiseDocs, REDS (Real Estate Data Solutions), G5, WhiteSky Communications, Chirp Systems, STRATIS IoT, Modern Message (Community Rewards), Hipercept, Investor Management Services, AIM, FUEL, Buildium, All Property Management, SimpleBills, DepositIQ, Rentlytics, ClickPay, LeaseLabs, PEX, On-Site, American Utility Management (AUM), Axiometrics, Lease Rent Optimization (LRO), AssetEye, NWP Services Corporation, Indatus, ActiveBuilding, RentMineOnline (RMO), MyNewPlace, Compliance Depot, SeniorLiving.net, eREI, Domin-8, Level One, Propertyware, Opstechnology, LeasingDesk, and YieldStar (USA)
  • Seal Security - Vulnerabilities in Seal products or services and vulnerabilities discovered in open-source libraries unless covered by the scope of another CNA (USA)
  • Super Micro Computer, Inc. - Supermicro branded products, managed system, or software projects (USA)
  • upKeeper Solutions - All upKeeper Solutions products, excluding end-of-life (EOL) as listed in the upKeeper Solutions End of Life Policy (Sweden)
  • WatchDogDevelopment.com, LLC - All WatchDog products (USA)
  • Wiz, Inc. - Vulnerabilities identified in Wiz products, and vulnerabilities discovered by, or reported to, Wiz that are not in another CNA’s scope (USA)
  • 9front Systems - All software produced as part of the Plan9front open source operating system, as well as its applications and cyberinfrastructure. Vulnerabilities discovered by or reported to 9front Systems for all Plan 9 software not covered by the scope of another CNA (USA)

 

Recognition for CNAs Actively Providing Vulnerability Data Enrichment for CVE Records

 

In September, the CVE Program began publicly recognizing those CNAs that are actively providing enhanced vulnerability data in their CVE Records. Published every two weeks, the “CNA Enrichment Recognition List” recognizes CNAs that provide Common Vulnerability Scoring System (CVSS) and Common Weakness Enumeration (CWE™) information 98% of the time or more within the two-week period of their last published CVE Record. The recognition list was published twice that month, on September 9 with 212 CNAs recognized and on September 23 with 215 CNAs recognized. Read the recognition list announcement here.

 

CVE Records Add New CVE Program Container

 

In July, the CVE Program added a new “CVE Program Container” within CVE Records that allows the program to deliver additional information more effectively to downstream users, while making no changes to the CVE Record Format schema used by CVE Program partners. The addition supports CVE Program capabilities including providing additional references and Record state information. Over time, the new container will also store various “value added” program data to further enhance individual CVE Records. Read the full announcement here.

 

“CNA Rules v4.0” in Effect as of August 8

 

The “CVE Numbering Authority (CNA) Operational Rules Version 4.0” took effect on August 8, 2024. The previous version, CNA Rules v3.0, was deprecated. After significant community participation and review, the CNA Rules v4.0 document was approved by the CVE Board on May 8, 2024, and published on the CVE website. CNAs were informed at that time that there would be a 90-day transition period to adjust their internal processes to integrate the new rules. That 90-day transition period ended on August 8, 2024, and CNAs are now required to comply with the new rules.

 

CVE and AI-related Vulnerabilities

 

Published in July, the “CVE and AI-related Vulnerabilities” blog article is the first in a series intended to document the CVE Board’s efforts to establish swim lanes for AI vulnerability disclosure within CVE. The blog series will discuss the concerns the Board is encountering in defining what is within the responsibilities of the CVE Program. Because not all AI issues are appropriate for a CVE assignment, the blog series will also try to define when other AI security-related initiatives are needed to address concerns outside the CVE Program. In this first blog in the series, the program’s definition of vulnerability is discussed as it relates to AI. Also noted is that the scope of some types of AI-enabled system security issues extend beyond that of the CVE Program, and that further guidelines are needed around vulnerabilities in AI systems that will enable a foundation for the best structuring of PSIRT flow and responsibilities – a key consumer group of CVE data. In future blogs, the Board will provide further information on the program’s directions, additional details and considerations concerning AI-related CVE-ID assignment, and where researchers and security professionals may find additional assistance with AI and assurance challenges. The Board hopes that this blog series will help spark a needed community conversation on AI-related security and the new classes of threats we all must deal with going forward.

 

CVE Podcast Provides CNA Onboarding Process Myths Versus Facts

 

In the “CNA Onboarding Process Myths Versus Facts” podcast episode, recorded in August, the truth and facts about the following topics are discussed: duration and complexity of the onboarding process; the fact that there is no fee to participate; ease of incorporating assigning CVE Identifiers (CVE IDs) and publishing CVE Records into an organization’s existing coordinated vulnerability disclosure (CVD) processes; availability of automated tools for CNAs; the CVE JSON Record format and available guidance; role of Roots and Top-Level Roots and how they help CNAs; importance of CNAs determining their own scopes; disclosure policies; the community aspect of being a CNA and the availability of peer support; the value of CNAs participating in one or more CVE Working Groups, especially the CNA Organization of Peers (COOP); and more. Listen to the podcast episode here.

 

“Vulnogram User Guide” Available for CNAs

 

A community-developed “Vulnogram User Guide” (PDF, 4.0MB) was posted for CNAs on the CVE website in July. A “live” version of the document is available for CNAs on Google Docs, which continues to be reviewed and updated over time. The guide explains step-by-step how to use Vulnogram with CVE Services to manage users, CVE Identifiers (CVE IDs), and CVE Records. Vulnogram is a tool for creating and editing CVE information in the CVE Record Format, and for generating advisories. This guide is intended for CNAs that may operate at a comparatively smaller scale and are not using custom integration with CVE Services. Vulnogram is not owned or maintained by the CVE Program. Learn more about Vulnogram on GitHub.

 

Community Asked to Save the Date for CVE/FIRST VulnCon 2025 on April 7-10, 2025

 

In September, the CVE Program asked the community to “save the date” for CVE/FIRST VulnCon 2025 to be held April 7-10, 2025, at the McKimmon Center in Raleigh, North Carolina, USA. Co-hosted by the CVE Program and FIRST, the purpose of this second annual in-person and virtual event is to “collaborate with various vulnerability management and cybersecurity professionals to develop forward leaning ideas that can be taken back to individual programs for action to benefit the vulnerability management ecosystem. A key goal of the conference is to understand what important stakeholders and programs are doing within the vulnerability management ecosystem and best determine how to benefit the ecosystem broadly.” The call for papers and registration information will be available on the CVE/FIRST VulnCon 2025 conference page, hosted on the FIRST website, when available.

 

Q3 CY 2024 Metrics

 

Metrics for Q3 CY 2024 Published CVE Records and Reserved CVE IDs are included below. Annual metrics are also included in the charts for year-to-year comparisons.

 

Terminology

 

  • Published: When a CNA populates the data associated with a CVE ID as a CVE Record, the state of the CVE Record is Published. The associated data must contain an identification number (CVE ID), a prose description, and at least one public reference.
  • Reserved: The initial state for a CVE Record; when the associated CVE ID is Reserved by a CNA.

 

Published CVE Records

 

As shown in the table below, CVE Program production was 8,591 CVE Records for CY Q3 2024. This is a 27% decrease over the 11,716 records published in CY Q2 2024. This includes all CVE Records published by all CNAs and the two CNAs of Last Resort (CNA-LRs).

 

Year

2024

Quarter

Q1

Q2

Q3

CVE Records Published by All CNAs

8,697

11,716

8,591

 

Reserved CVE IDs

 

The CVE Program tracks reserved CVE IDs. As shown in the table below, 11,250 CVE IDs were in the “Reserved” state in Q3 CY 2024, a 10% decrease over the 12,529 IDs reserved in CY Q2 2024. This includes all CVE IDs reserved by all CNAs and the two CNA-LRs.

 

Year

2024

Quarter

Q1

Q2

Q3

CVE IDs Reserved by All CNAs

13,499

12,529

11,250

 

CVE IDs Reserved/CVE Records Published Quarterly Trend by CY

 

Quarterly trend of reserved CVE IDs and published CVE Records by all CNAs and CNA-LRs. View as tables on the Metrics page on the CVE website.

 

CNA Partners Grow the CVE List

 

All of the CVE IDs and CVE Records cited in the metrics above are assigned and published by CNAs and the two CNA-LRs, within their own specific scopes.

 

CNAs partner with the program from a variety of business sectors; there are minimal requirements, and there is no monetary fee or contract to sign. Currently, 421 CNAs (419 CNAs and 2 CNA-LRs) from 40 countries and 1 no country affiliation are partners with the CVE Program.

 

Learn how to become a CNA or contact one of the following to start the partnering process today:

 

  • CISA Top-Level Root: Vulnerabilities that are (1) reported to or observed by CISA and (2) affect critical infrastructure, U.S. civilian government, industrial control systems, or medical devices, and (3) are not covered by another CNA’s scope
  • CISA ICS Root: Vulnerabilities that are (1) reported to or observed by CISA, (2) affect industrial control systems or medical devices, and (3) are not covered by another CNA’s scope
  • MITRE Top-Level Root: Vulnerabilities, and Open-Source software product vulnerabilities, not already covered by a CNA listed on this website
  • Google Root: Alphabet organizations
  • INCIBE Root: Spain organizations
  • JPCERT/CC Root: Japan organizations
  • Red Hat Root: The Red Hat Root’s scope includes the open-source community. Any open-source organizations that prefer Red Hat as their Root; organizations are free to choose another Root if it suits them better

 

Share or comment on this CVE article on Medium:

https://medium.com/@cve_program/cve-program-report-for-quarter-3-calendar-year-q3-cy-2024-b6a9c67e60b2

 

31,770 CVE Records Used as Basis for the “2024 CWE Top 25 Most Dangerous Software Weaknesses List”

 

The 2024 CWE Top 25 Most Dangerous Software Weaknesses was released by the Common Weakness Enumeration (CWE™) Program on November 19, 2024. The newly released list highlights the most severe and prevalent weaknesses behind the 31,770 CVE Records mapped in the 2024 dataset.

Uncovering the root causes of these vulnerabilities serves as a powerful guide for investments, policies, and practices to prevent these vulnerabilities from occurring in the first place. These weaknesses lead to serious vulnerabilities in software, and an attacker can often exploit them to take control of an affected system, steal data, or prevent applications from working.

The 2024 CWE Top 25 is the first time that the
CVE Numbering Authority (CNA) community directly contributed CWE mapping reviews within the dataset, leveraging their expert knowledge of the products and access to information that might not be present in the CVE Record. In general, CNAs are best positioned to provide accurate CWE mapping determinations compared to third-party analysts, as CNAs are the authority for vulnerability information within their CNA scope and those closest to the products themselves.

Visit the
CWE Top 25 page on the CWE website to view the full 2024 CWE Top 25 List, key insights, methodology, and more

Share or comment on this CVE article on Medium:

https://medium.com/@cve_program/31-770-cve-records-used-as-basis-for-the-2024-cwe-top-25-most-dangerous-software-weaknesses-list-6fd940e829fe

 

 

CVE Numbering Authorities (CNAs)

 

12 Additional Organizations Added as CNAs

 

Since October 1st, twelve (12) additional organizations from around the world have partnered with the program as CNAs:

 

  1. Beckman Coulter Diagnostics – Beckman Coulter Diagnostics manufactured products and technologies only (USA)
  2. Cyber Security Agency of Singapore (CSA) – Vulnerabilities reported to CSA unless covered by the scope of another CNA (Singapore)
  3. Gridware Cybersecurity – Gridware software, services, and infrastructure issues, as well as vulnerabilities discovered by or reported to Gridware researchers that are not in another CNA’s scope (Australia)
  4. Leica Biosystems – All Leica Biosystems products (USA)
  5. Mammotome  – All Mammotome products (USA)
  6. Neo4j – Neo4j products and Neo4j-maintained projects only, not including end-of-life components or products (Sweden)
  7. OceanBase – OceanBase products only, not including end-of-life components or products (China)
  8. Omnissa, LLC – All Omnissa products and services, including Workspace ONE and Horizon ()
  9. OMRON – Omron Group companies’ Industrial Automation, Healthcare, Social Systems, Device & Module Solutions issues only (Japan)
  10. PingCAP – Vulnerabilities in the following PingCAP maintained products and components: TiDB (code available at https://github.com/pingcap/tidb); TiKV (code available at https://github.com/tikv/tikv); PD (Placement Driver, code available at https://github.com/tikv/pd); TiFlash (code available at https://github.com/pingcap/tiflash); and tidbcloud (PingCAP’s cloud database service). This scope includes vulnerabilities in all supported versions of these products. CVE IDs will not be assigned for vulnerabilities found in unsupported versions or for third-party dependencies not maintained by PingCAP (USA)
  11. RTI – All RTI Connext products, including EOL products. See https://www.rti.com/products for more information (USA)
  12. Wikimedia Foundation – Any code repository hosted under gerrit.wikimedia.org, gitlab.wikimedia.org, or github.com/wikimedia that is not labeled as archived or marked as a fork of an upstream project. Please see our disclosure policy for additional exclusions to scope (USA)

 

CNAs are organizations from around the world that are authorized to assign CVE IDs to vulnerabilities affecting products within their distinct, agreed-upon scope, for inclusion in first-time public announcements of new vulnerabilities.

There are currently 421 CNAs (419 CNAs and 2 CNA-LRs) from 40 countries and 1 no country affiliation participating in the CVE Program. View the entire list of CNA partners on the CVE website.

 

Vulnerability Data Enrichment for CVE Records: 224 CNAs on the Enrichment Recognition List for November 18, 2024


The “
CNA Enrichment Recognition List” for November 18, 2024, is now available with 224 CNAs listed. Published every two weeks on the CVE website, the list recognizes those CVE Numbering Authorities (CNAs) that are actively providing enhanced vulnerability data in their CVE Records. CNAs are added to the list if they provide Common Vulnerability Scoring System (CVSS) and Common Weakness Enumeration (CWE™) information 98% of the time or more within the two-week period of their last published CVE Record.

 

For more about the recognition list, see “Recognition for CNAs Actively Providing Vulnerability Data Enrichment for CVE Records.” To learn more about vulnerability information types like CVSS and CWE, see the CVE Record User Guide. View the most current CNA Enrichment Recognition List on the CVE website Metrics page here.

 

 

CNA Enrichment Recognition List for November 18, 2024, with 224 CNAs listed:

 

  • 9front Systems
  • Absolute Software
  • Acronis International GmbH
  • Adobe Systems Incorporated
  • Advanced Micro Devices Inc.
  • AlgoSec
  • Amazon
  • AMI
  • AppCheck Ltd.
  • Arista Networks, Inc.
  • Asea Brown Boveri Ltd.
  • ASR Microelectronics Co., Ltd.
  • Autodesk
  • Automotive Security Research Group (ASRG)
  • Avaya Inc.
  • Axis Communications AB
  • Baicells Technologies Co., Ltd.
  • Baidu, Inc.
  • Baxter Healthcare
  • Becton, Dickinson and Company (BD)
  • BeyondTrust Inc.
  • Bitdefender
  • BlackBerry
  • Brocade Communications Systems, Inc.
  • Canon EMEA
  • Canon Inc.
  • Carrier Global Corporation
  • Cato Networks
  • CERT.PL
  • CERT@VDE
  • Check Point Software Technologies Ltd.
  • Checkmarx
  • Checkmk GmbH
  • Ciena Corporation
  • cirosec GmbH
  • Cisco Systems, Inc.
  • ClickHouse, Inc.
  • Cloudflare, Inc.
  • Concrete CMS
  • CyberDanube
  • Cybersecurity and Infrastructure Security Agency (CISA) U.S. Civilian Government
  • Dassault Systèmes
  • Dell EMC
  • Dfinity Foundation
  • DirectCyber
  • Docker Inc.
  • dotCMS LLC
  • Dragos, Inc.
  • Dutch Institute for Vulnerability Disclosure (DIVD)
  • Eaton
  • Eclipse Foundation
  • ELAN Microelectronics Corp.
  • Elastic
  • EnterpriseDB Corporation
  • Environmental Systems Research Institute, Inc. (Esri)
  • Ericsson
  • ESET, spol. s r.o.
  • EU Agency for Cybersecurity (ENISA)
  • Exodus Intelligence
  • F5 Networks
  • Flexera Software LLC
  • Fluid Attacks
  • Forcepoint
  • Forescout Technologies
  • ForgeRock, Inc.
  • Fortinet, Inc.
  • Fortra, LLC
  • Gallagher Group Ltd
  • GE Healthcare
  • Genetec Inc.
  • Gitea Limited
  • GitHub (maintainer security advisories)
  • GitHub Inc, (Products Only)
  • GitLab Inc.
  • Glyph & Cog, LLC
  • Google LLC
  • Grafana Labs
  • Hanwha Vision Co., Ltd.
  • HashiCorp Inc.
  • HeroDevs
  • HiddenLayer, Inc.
  • Hillstone Networks Inc.
  • Hitachi Energy
  • Hitachi Vantara
  • Hitachi, Ltd.
  • Honeywell International Inc.
  • HP Inc.
  • Huawei Technologies
  • HYPR Corp
  • ICS-CERT
  • IDEMIA
  • Indian Computer Emergency Response Team (CERT-In)
  • Intel Corporation
  • Israel National Cyber Directorate
  • Ivanti
  • Jamf
  • JetBrains s.r.o.
  • Johnson Controls
  • JPCERT/CC
  • Kaspersky
  • KNIME AG
  • KrCERT/CC
  • Kubernetes
  • Lenovo Group Ltd.
  • Lexmark International Inc.
  • LG Electronics
  • Liferay, Inc.
  • Logitech
  • M-Files Corporation
  • ManageEngine
  • Mattermost, Inc
  • Mautic
  • Microchip Technology
  • Microsoft Corporation
  • Milestone Systems A/S
  • Mitsubishi Electric Corporation
  • MongoDB
  • Moxa Inc.
  • N-able
  • National Cyber Security Centre — Netherlands (NCSC-NL)
  • National Cyber Security Centre SK-CERT
  • National Instruments
  • Netflix, Inc.
  • Netskope
  • Network Optix
  • NLnet Labs
  • NortonLifeLock Inc
  • Nozomi Networks Inc.
  • Nvidia Corporation
  • Octopus Deploy
  • Okta
  • ONEKEY GmbH
  • Open Design Alliance
  • Open-Xchange
  • OpenAnolis
  • openEuler
  • OpenHarmony
  • OpenText (formerly Micro Focus)
  • OTRS AG
  • Palantir Technologies
  • Palo Alto Networks
  • Panasonic Holdings Corporation
  • Pandora FMS
  • PaperCut Software Pty Ltd
  • Patchstack OÜ
  • Payara
  • Pegasystems
  • Pentraze Cybersecurity
  • Perforce
  • Ping Identity Corporation
  • PostgreSQL
  • Progress Software Corporation
  • Proofpoint Inc.
  • Protect AI
  • Pure Storage, Inc.
  • QNAP Systems, Inc.
  • Qualcomm, Inc.
  • Qualys, Inc.
  • rami.io GmbH
  • Rapid7, Inc.
  • Robert Bosch GmbH
  • Rockwell Automation
  • SailPoint Technologies
  • Samsung TV & Appliance
  • SBA Research gGmbH
  • Schneider Electric SE
  • Schweitzer Engineering Laboratories, Inc.
  • Secomea
  • Securin
  • Security Risk Advisors
  • ServiceNow
  • SHENZHEN CoolKit Technology CO., LTD.
  • SICK AG
  • Siemens
  • Sierra Wireless Inc.
  • Silicon Labs
  • Snow Software
  • Snyk
  • SoftIron
  • SolarWinds
  • Sonatype Inc.
  • Sophos
  • Spanish National Cybersecurity Institute, S.A.
  • Splunk
  • STAR Labs SG Pte. Ltd.
  • Switzerland National Cyber Security Centre (NCSC)
  • Synaptics
  • Synology Inc.
  • Talos
  • TeamViewer Germany GmbH
  • Temporal Technologies Inc.
  • Tenable Network Security, Inc.
  • Thales Group
  • The Document Foundation
  • The Missing Link Australia (TML)
  • The Tcpdump Group
  • The Wikimedia Foundation
  • TianoCore.org
  • Tigera
  • Toshiba Corporation
  • TR-CERT (Computer Emergency Response Team of the Republic of Turkey)
  • Trellix
  • TWCERT/CC
  • upKeeper Solutions
  • VulDB
  • VulnCheck
  • VULSec Labs
  • WatchGuard Technologies, Inc.
  • Western Digital
  • Wiz, Inc.
  • Wordfence
  • Xerox Corporation
  • Xiaomi Technology Co Ltd
  • Yandex N.V.
  • Yokogawa Group
  • Yugabyte, Inc.
  • Zabbix
  • Zephyr Project
  • Zero Day Initiative
  • Zoom Video Communications, Inc.
  • Zscaler, Inc.
  • ZTE Corporation
  • ZUSO Advanced Research Team (ZUSO ART)
  • Zyxel Corporation

 

Share this CVE article:

https://medium.com/@cve_program/vulnerability-data-enrichment-for-cve-records-224-cnas-on-the-enrichment-recognition-list-for-d5dea5f0d82a

 

Our CVE Story: Biohacking Village


Guest authors Janine (Nina Alli) and Jennifer Agüero are both from
Biohacking Village. Janine is CEO/Executive Director and Jennifer is a Marketing Communications Specialist. Biohacking Village is a CVE Numbering Authority (CNA) partner under the CISA ICS Root.


Since our founding in 2014,
Biohacking Village has recognized the critical need to raise awareness about cybersecurity in patient care — long before cybersecurity in healthcare became the priority it is today. Our mission, “Healthier Tech for Healthier People” places cybersecurity at the heart of fostering innovation and ensuring patient safety in healthcare technology. We are driven by two core goals: addressing public interest in healthcare security and ensuring patient safety through proactive action.

Each year, we organize Biohacking Village events for both domestic and international conferences, and we participate in one of the world’s largest hacker events,
DEF CON. Over time, we’ve built strong relationships with leading medical device manufacturers, inviting them to our Device Lab, where they bring products for testing on one of the most perilous networks, by some of the most skilled hackers in the world. We maintain an ethical approach to vulnerability testing and are a trusted partner, focusing on improving security while prioritizing patient protection.

Before partnering with the
CVE® Program as a CVE Numbering Authority (CNA), responsibility for managing vulnerabilities lay solely with the device manufacturers participating in our Device Lab. While many manufacturers have their own Coordinated Vulnerability Disclosure (CVD) policies, not all do. Additionally, vulnerabilities are sometimes discovered by researchers or security professionals in our Speaker Lab or Catalyst Workshops. In these situations, it’s crucial to have the capability to disclose these findings responsibly. Our ability to assist in responsible disclosure is central to our commitment to public interest and patient safety, ensuring vulnerabilities are addressed efficiently.

In June 2023, we reached a major milestone by becoming a
CNA. This designation enables us to proactively identify, assign, and publish CVE Records for vulnerabilities found in medical devices that are not in another CNA’s scope . By adopting the CVE Program’s processes, we enhanced our ability to manage vulnerabilities swiftly and accurately. Becoming a CNA was a strategic decision that empowers us to contribute more effectively to the global healthcare security landscape.

The benefits of participating in the CVE Program go beyond our organization. As a CNA, we are better positioned to coordinate vulnerability management efforts with manufacturers, security researchers, and the broader healthcare community. For any organization involved in technology, especially in critical sectors like healthcare, becoming a CNA demonstrates a commitment to cybersecurity and patient safety. It enables companies to take ownership of vulnerabilities, coordinate responses effectively, and ensure risks are mitigated before they escalate into threats.

At Biohacking Village, our goal is not only to protect patients but also to support medical device manufacturers in continuously improving product security. We believe that collaboration between the public and private sectors, along with clear communication and transparency, is essential for reducing risks and building safer medical technologies.
Becoming a CNA reinforces our dedication to fostering a secure, innovative healthcare environment. Our journey with the CVE Program is just the beginning, and we’re excited to be part of this initiative to enhance safety for all.

Share this CVE article:

https://medium.com/@cve_program/our-cve-story-biohacking-village-3611169d1f87 

 

Community

 

Call for Papers Now Open for CVE/FIRST VulnCon 2025 on April 7-10, 2025!


The
CVE Program and FIRST will co-host VulnCon 2025 at the McKimmon Center in Raleigh, North Carolina, USA, on April 7–10, 2025. The Call for Papers is open until January 15, 2025. See details here.

Registration, both virtual and in-person, will open in December 2024.



The purpose of the VulnCon — which is open to the public — is to collaborate with various vulnerability management and cybersecurity professionals to develop forward leaning ideas that can be taken back to individual programs for action to benefit the vulnerability management ecosystem. A key goal of the conference is to understand what important stakeholders and programs are doing within the vulnerability management ecosystem and best determine how to benefit the ecosystem broadly.

Call for Papers

 

We are seeking session talks and training/workshops on the following topics:

 

  • Vulnerability Metadata — including sessions focused on CVE, CVSS, CWE, CSAF, EPSS, SSVC, VEX, EoX, and others, including Working Group, SIG, and other foundation read-report-outs
  • Managing Risk — including sessions on articulating and framing risk for stakeholders in the vulnerability ecosystem
  • Vulnerability Management’s Intersection with Global Public Policy & Regulation — What are current and emerging trends in the global regulatory space
  • PSIRT Service Framework — Introductory, intermediate, and advanced topics for product security teams and defenders
  • “State of…” Operations, Tooling, and the craft of product security, incident response, and ecosystem vulnerability management
  • Coordinated Vulnerability Disclosure — practices and challenges in sharing and reporting security vulnerabilities and exploits

 

VulnCon 2025 will have nearly 150 open speaking and/or training sessions available, so please consider submitting a session or education training to share with the ecosystem.

 

CFP Timeline

 

  • Call for Papers Closes: January 15, 2025
  • Acceptance Notifications: Notification waves to being February 14, 2025
  • Acceptance Due Date: February 28, 2025
  • Final Presentations Due: April 2, 2025

 

Speaker Privileges

 

To help keep registration fees reasonable for all, we do not offer special discounts for speakers or workshop presenters. There is no accommodation or travel support provided.

 

Submission Process

 

All proposals should be submitted via the “EasyChair” link on the FIRST website. You are welcome to submit multiple proposals.

 

Learn More About VulnCon 2025

 

For most up-to-date information, visit the CVE/FIRST VulnCon 2025 conference page hosted on the FIRST website. We look forward to seeing you at this annual community event!

 

Share or comment on this CVE article on Medium:

https://medium.com/@cve_program/call-for-papers-now-open-for-cve-first-vulncon-2025-on-april-7-10-2025-4136aaf3f10f  

 

CVE in the News

 

NVIDIA Base Command Manager Vulnerability Let Attackers Remote Code, Cyber Security News

 

Apple Urgently Patches Actively Exploited Zero-Days, Dark Reading

 

Researchers reveal exploitable flaws in corporate VPN clients, Help Net Security

 

Critical QNAP Vulnerabilities in Notes Station 3 and QuRouter Demand Immediate Patching (CVE-2024-38645, CVE-2024-38643, CVE-2024-48860), SOCRadar

 

Critical AnyDesk Vulnerability Let Attackers Uncover User IP Address, Cyber Security News

 

Decades-Old Security Vulnerabilities Found in Ubuntu's Needrestart Package, The Hacker News

 

 

Keeping Up with CVE

 

Follow us for the latest from CVE:

@CVEnew – X-Twitter feed of the latest CVE Records
@CVEannounce – X-Twitter feed of news and announcements about CVE
@CVE_Program – Mastodon feed of news and announcements about CVE
@CVEprogram – Bluesky feed of news and announcements about CVE
CVE Program - LinkedIn page
CVE-CWE - LinkedIn showcase page
CVE Blog - CVE website
CVE Blog on Medium - Medium
We Speak CVE - Podcast
CVEProject - GitHub
CVE Program Channel - YouTube
CVE Announce Newsletter - Email

If this newsletter was shared with you, subscribe by sending an email message to LMS@mitre.org with the following text in the SUBJECT of the message: “subscribe cve-announce-list” (do not include the quote marks). You may also subscribe on the CVE website at https://www.cve.org/Media/News/NewsletterSignup. To unsubscribe, send an email message to LMS@mitre.org with the following text in the SUBJECT of the message “signoff cve-announce-list” (do not include the quote marks).

 

CVE® is sponsored by the U.S. Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA). Copyright © 2024, The MITRE Corporation. CVE and the CVE logo are registered trademarks of The MITRE Corporation. MITRE maintains CVE and provides impartial technical guidance to the CVE Board, CVE Working Groups, and CVE Numbering Authorities on all matters related to ongoing development of CVE.

 

 

  • Digg
  • Del.icio.us
  • StumbleUpon
  • Reddit
  • RSS
Read Comments