CVE Announce - November 27, 2024 (opt-in newsletter from the CVE website)
Featured
· CVE Program Celebrates 25 Years of Impact
· Chris Turner of NIST Joins the CVE Board as the “NIST CVE Board Liaison”
· CVE Program Report for Quarter 3 Calendar Year (Q3 CY) 2024
· 31,770 CVE Records Used as Basis for the “2024 CWE Top 25 Most Dangerous Software Weaknesses List”
CVE Numbering Authorities (CNAs)
· 12 Additional Organizations Added as CNAs
· Our CVE Story: Biohacking Village
Community
Featured
CVE Program Celebrates 25 Years of Impact
In October, the Common Vulnerabilities and Exposures (CVE®) Program commemorated its 25th anniversary, marking a quarter-century of enabling coordinated vulnerability management through global collaboration and innovation. Launched in 1999, the CVE Program has transformed the way organizations identify and manage cybersecurity vulnerabilities, enabling stronger defenses against cyber threats. The CVE 25th Anniversary Report is available now on the CVE.ORG website.
MITRE presented the original vision for the CVE List in a groundbreaking white paper during the 2nd Workshop on Research with Security Vulnerability Databases. Since then, the CVE Program has evolved into a vital resource for cybersecurity professionals and serves as the backbone for the global vulnerability management ecosystem. The program has seen widespread adoption, with over 400 CVE Numbering Authorities (CNAs) from 40 countries now producing CVE Records which are incorporated countless products and security advisories. From the initial 321 CVE Records in 1999, to over 240,000 in October 2024, CVE serves as a cornerstone for effective vulnerability management worldwide across national vulnerability databases, cybersecurity tool vendors, incident response operations, researchers, and policymakers.
“As we reflect on this historic milestone, we recognize the collective efforts of hundreds of organizations and thousands of individuals across our diverse partner community that contributed to making the CVE Program a success,” said Kent Landfield and Lisa Olson speaking on behalf of the CVE Board.
“CISA is proud to sponsor the CVE Program. We are committed to working with the CVE Program’s community of international stakeholders to reduce cybersecurity risk by addressing the prevalence and impact of vulnerabilities across enterprises and technologies,” said Sandra Radesky, CISA Associate Director of Vulnerability Management.
“The success of the CVE Program is a testament to the power of federation; its collaborative approach brings together experts in industry, government, and academia across the globe to create a common and scalable vulnerability identification standard that provides a foundation for vulnerability management worldwide,” said Yosry Barsoum, Vice President of the Center for Securing the Homeland at MITRE.
Looking ahead, the CVE Program is committed to expanding its reach and impact. Its priorities include continuing to increase program adoption and coverage through growing the CNA community in less represented industry sectors, strengthening the connection between the program and its downstream consumers, and further increasing the value and quality of CVE Records through data enrichment.
As we reflect on 25 years of achievements, we encourage all cybersecurity professionals, researchers, and partners to engage with the CVE Program and contribute to its ongoing development. Together, we can continue to strengthen the global cybersecurity landscape and address the evolving challenges of our digital world.
View the CVE 25th Anniversary Report here.
MEDIA COVERAGE:
- CVE Program Celebrates 25 Years of Impact in Cybersecurity, MITRE Website News Release
- CVE Program Celebrates 25 Years of Impact in Cybersecurity: Strengthening Global Collaboration and Vulnerability Management, BusinessWire.com
- CVE 25th Anniversary, ICS.ORG Blog
- From Bugs to Breaches: 25 Significant CVEs As MITRE CVE Turns 25, Tenable
- CVE Program marks 25 years of advancing cybersecurity efforts, SDxCentral
- In Other News: CVE Turns 25, SecurityWeek
- Celebrating 25 Years of the CVE Program, Payara Blog
- MITRE CVE Program Marks 25th Anniversary, Accumulating 240,000 Records by 2024, Cybersecurity News
- The World Still Needs A CVE Program, Forbes
- Application Security Weekly Podcast, SC Media Podcast
- Celebrating 25 Years of the CVE Program: Notes on our 5 Year Journey as a CVE Numbering Authority, BitDefender Blog
- 25th anniversary of the Common Vulnerabilities and Exposure (CVE) Program: Comment from Satnam Narang, Senior Staff Research Engineer at Tenable, Enterprise Times
- 25th anniversary of the Common Vulnerabilities and Exposure (CVE) Program: Comment from Satnam Narang, Senior Staff Research Engineer at Tenable, CXO Today
- In Other News: CVE Turns 25, Reg4Tech
- 25 Years of CVE, Shostack Blog
- Celebrating 25 Years of CVE’s, Jerry Gamblin Blog
- CVE Program Celebrates 25 Years of Impact in Cybersecurity, Jopling Globe
- CVE Program Celebrates 25 Years of Impact in Cybersecurity, Yahoo Finance
- CVE Program Celebrates 25 Years of Impact in Cybersecurity, Morningstar
- Vulnerability Prioritization & the Magic 8 Ball, Security Boulevard
- CVE Program Celebrates 25 Years of Impact in Cybersecurity, 01net.it
- Be Cyber Aware, Be Very Aware, MITRE 360 Oct Newsletter:
- Weekly Cybersecurity Newsletter: Data Breaches, Vulnerabilities, Cyber Attacks, and Other Updates, CyberSecurity News
- Il programma CVE compie 25 anni, TechBusiness
- IT Security News Monthly Summary, IT Security News
Share this CVE article:
https://medium.com/@cve_program/cve-program-celebrates-25-years-of-impact-f8f8c6b28f69
Chris Turner of NIST Joins the CVE Board as the “NIST CVE Board Liaison”
The CVE Program is pleased to announce that Chris Turner of the National Institute of Standards and Technology (NIST) is the newest member of the CVE Board, serving as the “NIST CVE Board Liaison.”
Per the CVE Board Charter, “Section 1.3.3 Organizational Liaison – An Organizational Liaison position allows for tighter partnerships with targeted organizations. This type of role provides the Board with greater flexibility for how external organizations work with the Board and CVE Program governance. There can be one or more organization(s) designated to have a liaison relationship with the Board at any one time. Each Organization with a Liaison position will have a single seat on the Board reserved for the Organizational Liaison representing them. This allows the Board representation from specific organizations as needed. This is a term-limited seat that must be reconfirmed by the Secretariat when the term set expires. The default term, unless specified by the Board during the establishment of the organization’s liaison role, is one year. The Secretariat assures the Organization wishes to continue the Board relationship and that the designated individual is the proper person to fill the role for the organization for the upcoming term. The Organization’s liaison is a voting member of the Board and can serve more than one consecutive term if the Organization desires. This position is a two-way conduit for the Organization to bring things to and from the Board in an official and structured way.”
About Chris Turner
Chris Turner is a seasoned professional with over a decade of experience in information security and vulnerability management. Currently, he serves as the Senior Advisor for the U.S. NVD at NIST. Chris is deeply committed to enhancing the accessibility and utility of vulnerability management data, tools, and educational resources.
Prior to his current role, Chris was the Lead Vulnerability Analyst for the NVD, where he led efforts to advance the program’s analytical capabilities and fostered significant improvements in the vulnerability management landscape. His extensive knowledge of the vulnerability management ecosystem and its implications for overall cybersecurity makes him a trusted authority in the field
Chris’ passion and expertise drive his ongoing contributions to the security community, aiming to create a safer and more resilient digital environment.
About the CVE Board
The CVE Board is the organization responsible for the strategic direction, governance, operational structure, policies, and rules of the CVE Program. The Board includes members from numerous cybersecurity-related organizations including commercial security tool vendors, academia, research institutions, government departments and agencies, and other prominent security experts, as well as end-users of vulnerability information.
Share or comment on this CVE article on Medium:
CVE Program Report for Quarter 3 Calendar Year (Q3 CY) 2024
The CVE Program’s quarterly summary of program milestones and metrics for Q3 CY 2024.
Q3 CY 2024 Milestones
Twenty-Four CVE Numbering Authorities (CNAs) Added
The twenty-four (24) new CNAs added this quarter are listed below under their Top-Level Root (TL-Root) or Root. Scope of coverage is described next to their organization name.
Cybersecurity and Infrastructure Security Agency (CISA) Industrial Control Systems (ICS) Root:
- ASUSTeK Computer Incorporation - ASUS issues only (Taiwan)
- Cytiva - Cytiva branded products only (USA)
- Pall Corporation - Pall branded products only (USA)
- Stryker Corporation - All products of Stryker or a Stryker company including end-of-life/end-of-service products, and vulnerabilities in third-party software used in Stryker products that are not in another CNA’s scope (USA)
- Amazon - All Amazon and AWS products (including subsidiaries, supported, and EOL/EOS products), as well as vulnerabilities in third party software discovered by Amazon/AWS that are not in another CNA’s scope (USA)
- Arxscan, Inc. - Arxscan issues only (USA)
- Cato Networks - All Cato Networks products and vulnerabilities in third-party products affecting Cato products unless covered by the scope of another CNA (Israel)
- Forescout Technologies - Forescout issues only (USA)
- Huntress Labs Inc. - All Huntress products, as well as vulnerabilities in third-party software discovered by Huntress that are not in another CNA’s scope (USA)
- Imagination Technologies - Imagination Technologies branded products and technologies and Imagination Technologies (IMG) managed open source projects (UK)
- Intigriti - Vulnerabilities in Intigriti products and vulnerabilities discovered by, or reported to, Intigriti that are not in another CNA’s scope (Belgium)
- Ivanti - Vulnerabilities in supported Ivanti products and infrastructure, excluding third-party components, and meeting severity thresholds defined in Ivanti’s Disclosure Policy found here (USA)
- Kong Inc. - Kong products; Kong Konnect, Kong Enterprise, Kong Mesh, and Kong Insomnia, including Kong Opensource; Kong Gateway, Kuma, Insomnia (USA)
- Leica Microsystems - Leica Microsystems products as listed on https://www.leica-microsystems.com/products (Germany)
- Monash University - Cyber Security Incident Response Team - Vulnerabilities in any Monash University developed products, or vulnerabilities identified in third-party vendor products used by Monash University, unless covered by the scope of another CNA (Australia)
- PlexTrac, Inc. - Vulnerabilities within PlexTrac’s products (USA)
- Proton AG - Proton AG issues only (Switzerland)
- RealPage - Vulnerabilities in RealPage products and services including but not limited to: Keyready, Knock CRM, HomeWiseDocs, REDS (Real Estate Data Solutions), G5, WhiteSky Communications, Chirp Systems, STRATIS IoT, Modern Message (Community Rewards), Hipercept, Investor Management Services, AIM, FUEL, Buildium, All Property Management, SimpleBills, DepositIQ, Rentlytics, ClickPay, LeaseLabs, PEX, On-Site, American Utility Management (AUM), Axiometrics, Lease Rent Optimization (LRO), AssetEye, NWP Services Corporation, Indatus, ActiveBuilding, RentMineOnline (RMO), MyNewPlace, Compliance Depot, SeniorLiving.net, eREI, Domin-8, Level One, Propertyware, Opstechnology, LeasingDesk, and YieldStar (USA)
- Seal Security - Vulnerabilities in Seal products or services and vulnerabilities discovered in open-source libraries unless covered by the scope of another CNA (USA)
- Super Micro Computer, Inc. - Supermicro branded products, managed system, or software projects (USA)
- upKeeper Solutions - All upKeeper Solutions products, excluding end-of-life (EOL) as listed in the upKeeper Solutions End of Life Policy (Sweden)
- WatchDogDevelopment.com, LLC - All WatchDog products (USA)
- Wiz, Inc. - Vulnerabilities identified in Wiz products, and vulnerabilities discovered by, or reported to, Wiz that are not in another CNA’s scope (USA)
- 9front Systems - All software produced as part of the Plan9front open source operating system, as well as its applications and cyberinfrastructure. Vulnerabilities discovered by or reported to 9front Systems for all Plan 9 software not covered by the scope of another CNA (USA)
Recognition for CNAs Actively Providing Vulnerability Data Enrichment for CVE Records
In September, the CVE Program began publicly recognizing those CNAs that are actively providing enhanced vulnerability data in their CVE Records. Published every two weeks, the “CNA Enrichment Recognition List” recognizes CNAs that provide Common Vulnerability Scoring System (CVSS) and Common Weakness Enumeration (CWE™) information 98% of the time or more within the two-week period of their last published CVE Record. The recognition list was published twice that month, on September 9 with 212 CNAs recognized and on September 23 with 215 CNAs recognized. Read the recognition list announcement here.
CVE Records Add New CVE Program Container
In July, the CVE Program added a new “CVE Program Container” within CVE Records that allows the program to deliver additional information more effectively to downstream users, while making no changes to the CVE Record Format schema used by CVE Program partners. The addition supports CVE Program capabilities including providing additional references and Record state information. Over time, the new container will also store various “value added” program data to further enhance individual CVE Records. Read the full announcement here.
“CNA Rules v4.0” in Effect as of August 8
The “CVE Numbering Authority (CNA) Operational Rules Version 4.0” took effect on August 8, 2024. The previous version, CNA Rules v3.0, was deprecated. After significant community participation and review, the CNA Rules v4.0 document was approved by the CVE Board on May 8, 2024, and published on the CVE website. CNAs were informed at that time that there would be a 90-day transition period to adjust their internal processes to integrate the new rules. That 90-day transition period ended on August 8, 2024, and CNAs are now required to comply with the new rules.
CVE and AI-related Vulnerabilities
Published in July, the “CVE and AI-related Vulnerabilities” blog article is the first in a series intended to document the CVE Board’s efforts to establish swim lanes for AI vulnerability disclosure within CVE. The blog series will discuss the concerns the Board is encountering in defining what is within the responsibilities of the CVE Program. Because not all AI issues are appropriate for a CVE assignment, the blog series will also try to define when other AI security-related initiatives are needed to address concerns outside the CVE Program. In this first blog in the series, the program’s definition of vulnerability is discussed as it relates to AI. Also noted is that the scope of some types of AI-enabled system security issues extend beyond that of the CVE Program, and that further guidelines are needed around vulnerabilities in AI systems that will enable a foundation for the best structuring of PSIRT flow and responsibilities – a key consumer group of CVE data. In future blogs, the Board will provide further information on the program’s directions, additional details and considerations concerning AI-related CVE-ID assignment, and where researchers and security professionals may find additional assistance with AI and assurance challenges. The Board hopes that this blog series will help spark a needed community conversation on AI-related security and the new classes of threats we all must deal with going forward.
CVE Podcast Provides CNA Onboarding Process Myths Versus Facts
In the “CNA Onboarding Process Myths Versus Facts” podcast episode, recorded in August, the truth and facts about the following topics are discussed: duration and complexity of the onboarding process; the fact that there is no fee to participate; ease of incorporating assigning CVE Identifiers (CVE IDs) and publishing CVE Records into an organization’s existing coordinated vulnerability disclosure (CVD) processes; availability of automated tools for CNAs; the CVE JSON Record format and available guidance; role of Roots and Top-Level Roots and how they help CNAs; importance of CNAs determining their own scopes; disclosure policies; the community aspect of being a CNA and the availability of peer support; the value of CNAs participating in one or more CVE Working Groups, especially the CNA Organization of Peers (COOP); and more. Listen to the podcast episode here.
“Vulnogram User Guide” Available for CNAs
A community-developed “Vulnogram User Guide” (PDF, 4.0MB) was posted for CNAs on the CVE website in July. A “live” version of the document is available for CNAs on Google Docs, which continues to be reviewed and updated over time. The guide explains step-by-step how to use Vulnogram with CVE Services to manage users, CVE Identifiers (CVE IDs), and CVE Records. Vulnogram is a tool for creating and editing CVE information in the CVE Record Format, and for generating advisories. This guide is intended for CNAs that may operate at a comparatively smaller scale and are not using custom integration with CVE Services. Vulnogram is not owned or maintained by the CVE Program. Learn more about Vulnogram on GitHub.
Community Asked to Save the Date for CVE/FIRST VulnCon 2025 on April 7-10, 2025
In September, the CVE Program asked the community to “save the date” for CVE/FIRST VulnCon 2025 to be held April 7-10, 2025, at the McKimmon Center in Raleigh, North Carolina, USA. Co-hosted by the CVE Program and FIRST, the purpose of this second annual in-person and virtual event is to “collaborate with various vulnerability management and cybersecurity professionals to develop forward leaning ideas that can be taken back to individual programs for action to benefit the vulnerability management ecosystem. A key goal of the conference is to understand what important stakeholders and programs are doing within the vulnerability management ecosystem and best determine how to benefit the ecosystem broadly.” The call for papers and registration information will be available on the CVE/FIRST VulnCon 2025 conference page, hosted on the FIRST website, when available.
Q3 CY 2024 Metrics
Metrics for Q3 CY 2024 Published CVE Records and Reserved CVE IDs are included below. Annual metrics are also included in the charts for year-to-year comparisons.
Terminology
- Published: When a CNA populates the data associated with a CVE ID as a CVE Record, the state of the CVE Record is Published. The associated data must contain an identification number (CVE ID), a prose description, and at least one public reference.
- Reserved: The initial state for a CVE Record; when the associated CVE ID is Reserved by a CNA.
Published CVE Records
As shown in the table below, CVE Program production was 8,591 CVE Records for CY Q3 2024. This is a 27% decrease over the 11,716 records published in CY Q2 2024. This includes all CVE Records published by all CNAs and the two CNAs of Last Resort (CNA-LRs).
Year | 2024 | ||
Quarter | Q1 | Q2 | Q3 |
CVE Records Published by All CNAs | 8,697 | 11,716 | 8,591 |
Reserved CVE IDs
The CVE Program tracks reserved CVE IDs. As shown in the table below, 11,250 CVE IDs were in the “Reserved” state in Q3 CY 2024, a 10% decrease over the 12,529 IDs reserved in CY Q2 2024. This includes all CVE IDs reserved by all CNAs and the two CNA-LRs.
Year | 2024 | ||
Quarter | Q1 | Q2 | Q3 |
CVE IDs Reserved by All CNAs | 13,499 | 12,529 | 11,250 |
CVE IDs Reserved/CVE Records Published Quarterly Trend by CY
Quarterly trend of reserved CVE IDs and published CVE Records by all CNAs and CNA-LRs. View as tables on the Metrics page on the CVE website.
CNA Partners Grow the CVE List
All of the CVE IDs and CVE Records cited in the metrics above are assigned and published by CNAs and the two CNA-LRs, within their own specific scopes.
CNAs partner with the program from a variety of business sectors; there are minimal requirements, and there is no monetary fee or contract to sign. Currently, 421 CNAs (419 CNAs and 2 CNA-LRs) from 40 countries and 1 no country affiliation are partners with the CVE Program.
Learn how to become a CNA or contact one of the following to start the partnering process today:
- CISA Top-Level Root: Vulnerabilities that are (1) reported to or observed by CISA and (2) affect critical infrastructure, U.S. civilian government, industrial control systems, or medical devices, and (3) are not covered by another CNA’s scope
- CISA ICS Root: Vulnerabilities that are (1) reported to or observed by CISA, (2) affect industrial control systems or medical devices, and (3) are not covered by another CNA’s scope
- MITRE Top-Level Root: Vulnerabilities, and Open-Source software product vulnerabilities, not already covered by a CNA listed on this website
- Google Root: Alphabet organizations
- INCIBE Root: Spain organizations
- JPCERT/CC Root: Japan organizations
- Red Hat Root: The Red Hat Root’s scope includes the open-source community. Any open-source organizations that prefer Red Hat as their Root; organizations are free to choose another Root if it suits them better
Share or comment on this CVE article on Medium:
31,770 CVE Records Used as Basis for the “2024 CWE Top 25 Most Dangerous Software Weaknesses List”
The 2024 CWE Top 25 Most Dangerous Software Weaknesses was released by the Common Weakness Enumeration (CWE™) Program on November 19, 2024. The newly released list highlights the most severe and prevalent weaknesses behind the 31,770 CVE Records mapped in the 2024 dataset.
Uncovering the root causes of these vulnerabilities serves as a powerful guide for investments, policies, and practices to prevent these vulnerabilities from occurring in the first place. These weaknesses lead to serious vulnerabilities in software, and an attacker can often exploit them to take control of an affected system, steal data, or prevent applications from working.
The 2024 CWE Top 25 is the first time that the CVE Numbering Authority (CNA) community directly contributed CWE mapping reviews within the dataset, leveraging their expert knowledge of the products and access to information that might not be present in the CVE Record. In general, CNAs are best positioned to provide accurate CWE mapping determinations compared to third-party analysts, as CNAs are the authority for vulnerability information within their CNA scope and those closest to the products themselves.
Visit the CWE Top 25 page on the CWE website to view the full 2024 CWE Top 25 List, key insights, methodology, and more
Share or comment on this CVE article on Medium:
CVE Numbering Authorities (CNAs)
12 Additional Organizations Added as CNAs
Since October 1st, twelve (12) additional organizations from around the world have partnered with the program as CNAs:
- Beckman Coulter Diagnostics – Beckman Coulter Diagnostics manufactured products and technologies only (USA)
- Cyber Security Agency of Singapore (CSA) – Vulnerabilities reported to CSA unless covered by the scope of another CNA (Singapore)
- Gridware Cybersecurity – Gridware software, services, and infrastructure issues, as well as vulnerabilities discovered by or reported to Gridware researchers that are not in another CNA’s scope (Australia)
- Leica Biosystems – All Leica Biosystems products (USA)
- Mammotome – All Mammotome products (USA)
- Neo4j – Neo4j products and Neo4j-maintained projects only, not including end-of-life components or products (Sweden)
- OceanBase – OceanBase products only, not including end-of-life components or products (China)
- Omnissa, LLC – All Omnissa products and services, including Workspace ONE and Horizon ()
- OMRON – Omron Group companies’ Industrial Automation, Healthcare, Social Systems, Device & Module Solutions issues only (Japan)
- PingCAP – Vulnerabilities in the following PingCAP maintained products and components: TiDB (code available at https://github.com/pingcap/tidb); TiKV (code available at https://github.com/tikv/tikv); PD (Placement Driver, code available at https://github.com/tikv/pd); TiFlash (code available at https://github.com/pingcap/tiflash); and tidbcloud (PingCAP’s cloud database service). This scope includes vulnerabilities in all supported versions of these products. CVE IDs will not be assigned for vulnerabilities found in unsupported versions or for third-party dependencies not maintained by PingCAP (USA)
- RTI – All RTI Connext products, including EOL products. See https://www.rti.com/products for more information (USA)
- Wikimedia Foundation – Any code repository hosted under gerrit.wikimedia.org, gitlab.wikimedia.org, or github.com/wikimedia that is not labeled as archived or marked as a fork of an upstream project. Please see our disclosure policy for additional exclusions to scope (USA)
CNAs are organizations from around the world that are authorized to assign CVE IDs to vulnerabilities affecting products within their distinct, agreed-upon scope, for inclusion in first-time public announcements of new vulnerabilities.
There are currently 421 CNAs (419 CNAs and 2 CNA-LRs) from 40 countries and 1 no country affiliation participating in the CVE Program. View the entire list of CNA partners on the CVE website.
The “CNA Enrichment Recognition List” for November 18, 2024, is now available with 224 CNAs listed. Published every two weeks on the CVE website, the list recognizes those CVE Numbering Authorities (CNAs) that are actively providing enhanced vulnerability data in their CVE Records. CNAs are added to the list if they provide Common Vulnerability Scoring System (CVSS) and Common Weakness Enumeration (CWE™) information 98% of the time or more within the two-week period of their last published CVE Record.
For more about the recognition list, see “Recognition for CNAs Actively Providing Vulnerability Data Enrichment for CVE Records.” To learn more about vulnerability information types like CVSS and CWE, see the CVE Record User Guide. View the most current CNA Enrichment Recognition List on the CVE website Metrics page here.
CNA Enrichment Recognition List for November 18, 2024, with 224 CNAs listed:
- 9front Systems
- Absolute Software
- Acronis International GmbH
- Adobe Systems Incorporated
- Advanced Micro Devices Inc.
- AlgoSec
- Amazon
- AMI
- AppCheck Ltd.
- Arista Networks, Inc.
- Asea Brown Boveri Ltd.
- ASR Microelectronics Co., Ltd.
- Autodesk
- Automotive Security Research Group (ASRG)
- Avaya Inc.
- Axis Communications AB
- Baicells Technologies Co., Ltd.
- Baidu, Inc.
- Baxter Healthcare
- Becton, Dickinson and Company (BD)
- BeyondTrust Inc.
- Bitdefender
- BlackBerry
- Brocade Communications Systems, Inc.
- Canon EMEA
- Canon Inc.
- Carrier Global Corporation
- Cato Networks
- CERT.PL
- CERT@VDE
- Check Point Software Technologies Ltd.
- Checkmarx
- Checkmk GmbH
- Ciena Corporation
- cirosec GmbH
- Cisco Systems, Inc.
- ClickHouse, Inc.
- Cloudflare, Inc.
- Concrete CMS
- CyberDanube
- Cybersecurity and Infrastructure Security Agency (CISA) U.S. Civilian Government
- Dassault Systèmes
- Dell EMC
- Dfinity Foundation
- DirectCyber
- Docker Inc.
- dotCMS LLC
- Dragos, Inc.
- Dutch Institute for Vulnerability Disclosure (DIVD)
- Eaton
- Eclipse Foundation
- ELAN Microelectronics Corp.
- Elastic
- EnterpriseDB Corporation
- Environmental Systems Research Institute, Inc. (Esri)
- Ericsson
- ESET, spol. s r.o.
- EU Agency for Cybersecurity (ENISA)
- Exodus Intelligence
- F5 Networks
- Flexera Software LLC
- Fluid Attacks
- Forcepoint
- Forescout Technologies
- ForgeRock, Inc.
- Fortinet, Inc.
- Fortra, LLC
- Gallagher Group Ltd
- GE Healthcare
- Genetec Inc.
- Gitea Limited
- GitHub (maintainer security advisories)
- GitHub Inc, (Products Only)
- GitLab Inc.
- Glyph & Cog, LLC
- Google LLC
- Grafana Labs
- Hanwha Vision Co., Ltd.
- HashiCorp Inc.
- HeroDevs
- HiddenLayer, Inc.
- Hillstone Networks Inc.
- Hitachi Energy
- Hitachi Vantara
- Hitachi, Ltd.
- Honeywell International Inc.
- HP Inc.
- Huawei Technologies
- HYPR Corp
- ICS-CERT
- IDEMIA
- Indian Computer Emergency Response Team (CERT-In)
- Intel Corporation
- Israel National Cyber Directorate
- Ivanti
- Jamf
- JetBrains s.r.o.
- Johnson Controls
- JPCERT/CC
- Kaspersky
- KNIME AG
- KrCERT/CC
- Kubernetes
- Lenovo Group Ltd.
- Lexmark International Inc.
- LG Electronics
- Liferay, Inc.
- Logitech
- M-Files Corporation
- ManageEngine
- Mattermost, Inc
- Mautic
- Microchip Technology
- Microsoft Corporation
- Milestone Systems A/S
- Mitsubishi Electric Corporation
- MongoDB
- Moxa Inc.
- N-able
- National Cyber Security Centre — Netherlands (NCSC-NL)
- National Cyber Security Centre SK-CERT
- National Instruments
- Netflix, Inc.
- Netskope
- Network Optix
- NLnet Labs
- NortonLifeLock Inc
- Nozomi Networks Inc.
- Nvidia Corporation
- Octopus Deploy
- Okta
- ONEKEY GmbH
- Open Design Alliance
- Open-Xchange
- OpenAnolis
- openEuler
- OpenHarmony
- OpenText (formerly Micro Focus)
- OTRS AG
- Palantir Technologies
- Palo Alto Networks
- Panasonic Holdings Corporation
- Pandora FMS
- PaperCut Software Pty Ltd
- Patchstack OÜ
- Payara
- Pegasystems
- Pentraze Cybersecurity
- Perforce
- Ping Identity Corporation
- PostgreSQL
- Progress Software Corporation
- Proofpoint Inc.
- Protect AI
- Pure Storage, Inc.
- QNAP Systems, Inc.
- Qualcomm, Inc.
- Qualys, Inc.
- rami.io GmbH
- Rapid7, Inc.
- Robert Bosch GmbH
- Rockwell Automation
- SailPoint Technologies
- Samsung TV & Appliance
- SBA Research gGmbH
- Schneider Electric SE
- Schweitzer Engineering Laboratories, Inc.
- Secomea
- Securin
- Security Risk Advisors
- ServiceNow
- SHENZHEN CoolKit Technology CO., LTD.
- SICK AG
- Siemens
- Sierra Wireless Inc.
- Silicon Labs
- Snow Software
- Snyk
- SoftIron
- SolarWinds
- Sonatype Inc.
- Sophos
- Spanish National Cybersecurity Institute, S.A.
- Splunk
- STAR Labs SG Pte. Ltd.
- Switzerland National Cyber Security Centre (NCSC)
- Synaptics
- Synology Inc.
- Talos
- TeamViewer Germany GmbH
- Temporal Technologies Inc.
- Tenable Network Security, Inc.
- Thales Group
- The Document Foundation
- The Missing Link Australia (TML)
- The Tcpdump Group
- The Wikimedia Foundation
- TianoCore.org
- Tigera
- Toshiba Corporation
- TR-CERT (Computer Emergency Response Team of the Republic of Turkey)
- Trellix
- TWCERT/CC
- upKeeper Solutions
- VulDB
- VulnCheck
- VULSec Labs
- WatchGuard Technologies, Inc.
- Western Digital
- Wiz, Inc.
- Wordfence
- Xerox Corporation
- Xiaomi Technology Co Ltd
- Yandex N.V.
- Yokogawa Group
- Yugabyte, Inc.
- Zabbix
- Zephyr Project
- Zero Day Initiative
- Zoom Video Communications, Inc.
- Zscaler, Inc.
- ZTE Corporation
- ZUSO Advanced Research Team (ZUSO ART)
- Zyxel Corporation
Share this CVE article:
Our CVE Story: Biohacking Village
Guest authors Janine (Nina Alli) and Jennifer Agüero are both from Biohacking Village. Janine is CEO/Executive Director and Jennifer is a Marketing Communications Specialist. Biohacking Village is a CVE Numbering Authority (CNA) partner under the CISA ICS Root.
Since our founding in 2014, Biohacking Village has recognized the critical need to raise awareness about cybersecurity in patient care — long before cybersecurity in healthcare became the priority it is today. Our mission, “Healthier Tech for Healthier People” places cybersecurity at the heart of fostering innovation and ensuring patient safety in healthcare technology. We are driven by two core goals: addressing public interest in healthcare security and ensuring patient safety through proactive action.
Each year, we organize Biohacking Village events for both domestic and international conferences, and we participate in one of the world’s largest hacker events, DEF CON. Over time, we’ve built strong relationships with leading medical device manufacturers, inviting them to our Device Lab, where they bring products for testing on one of the most perilous networks, by some of the most skilled hackers in the world. We maintain an ethical approach to vulnerability testing and are a trusted partner, focusing on improving security while prioritizing patient protection.
Before partnering with the CVE® Program as a CVE Numbering Authority (CNA), responsibility for managing vulnerabilities lay solely with the device manufacturers participating in our Device Lab. While many manufacturers have their own Coordinated Vulnerability Disclosure (CVD) policies, not all do. Additionally, vulnerabilities are sometimes discovered by researchers or security professionals in our Speaker Lab or Catalyst Workshops. In these situations, it’s crucial to have the capability to disclose these findings responsibly. Our ability to assist in responsible disclosure is central to our commitment to public interest and patient safety, ensuring vulnerabilities are addressed efficiently.
In June 2023, we reached a major milestone by becoming a CNA. This designation enables us to proactively identify, assign, and publish CVE Records for vulnerabilities found in medical devices that are not in another CNA’s scope . By adopting the CVE Program’s processes, we enhanced our ability to manage vulnerabilities swiftly and accurately. Becoming a CNA was a strategic decision that empowers us to contribute more effectively to the global healthcare security landscape.
The benefits of participating in the CVE Program go beyond our organization. As a CNA, we are better positioned to coordinate vulnerability management efforts with manufacturers, security researchers, and the broader healthcare community. For any organization involved in technology, especially in critical sectors like healthcare, becoming a CNA demonstrates a commitment to cybersecurity and patient safety. It enables companies to take ownership of vulnerabilities, coordinate responses effectively, and ensure risks are mitigated before they escalate into threats.
At Biohacking Village, our goal is not only to protect patients but also to support medical device manufacturers in continuously improving product security. We believe that collaboration between the public and private sectors, along with clear communication and transparency, is essential for reducing risks and building safer medical technologies. Becoming a CNA reinforces our dedication to fostering a secure, innovative healthcare environment. Our journey with the CVE Program is just the beginning, and we’re excited to be part of this initiative to enhance safety for all.
Share this CVE article:
https://medium.com/@cve_program/our-cve-story-biohacking-village-3611169d1f87
Community
Call for Papers Now Open for CVE/FIRST VulnCon 2025 on April 7-10, 2025!
The CVE Program and FIRST will co-host VulnCon 2025 at the McKimmon Center in Raleigh, North Carolina, USA, on April 7–10, 2025. The Call for Papers is open until January 15, 2025. See details here.
Registration, both virtual and in-person, will open in December 2024.
The purpose of the VulnCon — which is open to the public — is to collaborate with various vulnerability management and cybersecurity professionals to develop forward leaning ideas that can be taken back to individual programs for action to benefit the vulnerability management ecosystem. A key goal of the conference is to understand what important stakeholders and programs are doing within the vulnerability management ecosystem and best determine how to benefit the ecosystem broadly.
Call for Papers
We are seeking session talks and training/workshops on the following topics:
- Vulnerability Metadata — including sessions focused on CVE, CVSS, CWE, CSAF, EPSS, SSVC, VEX, EoX, and others, including Working Group, SIG, and other foundation read-report-outs
- Managing Risk — including sessions on articulating and framing risk for stakeholders in the vulnerability ecosystem
- Vulnerability Management’s Intersection with Global Public Policy & Regulation — What are current and emerging trends in the global regulatory space
- PSIRT Service Framework — Introductory, intermediate, and advanced topics for product security teams and defenders
- “State of…” Operations, Tooling, and the craft of product security, incident response, and ecosystem vulnerability management
- Coordinated Vulnerability Disclosure — practices and challenges in sharing and reporting security vulnerabilities and exploits
VulnCon 2025 will have nearly 150 open speaking and/or training sessions available, so please consider submitting a session or education training to share with the ecosystem.
CFP Timeline
- Call for Papers Closes: January 15, 2025
- Acceptance Notifications: Notification waves to being February 14, 2025
- Acceptance Due Date: February 28, 2025
- Final Presentations Due: April 2, 2025
Speaker Privileges
To help keep registration fees reasonable for all, we do not offer special discounts for speakers or workshop presenters. There is no accommodation or travel support provided.
Submission Process
All proposals should be submitted via the “EasyChair” link on the FIRST website. You are welcome to submit multiple proposals.
Learn More About VulnCon 2025
For most up-to-date information, visit the CVE/FIRST VulnCon 2025 conference page hosted on the FIRST website. We look forward to seeing you at this annual community event!
Share or comment on this CVE article on Medium:
NVIDIA Base Command Manager Vulnerability Let Attackers Remote Code, Cyber Security News
Apple Urgently Patches Actively Exploited Zero-Days, Dark Reading
Researchers reveal exploitable flaws in corporate VPN clients, Help Net Security
Critical AnyDesk Vulnerability Let Attackers Uncover User IP Address, Cyber Security News
Decades-Old Security Vulnerabilities Found in Ubuntu's Needrestart Package, The Hacker News
Follow us for the latest from CVE:
@CVEnew – X-Twitter feed of the latest CVE Records
@CVEannounce – X-Twitter feed of news and announcements about CVE
@CVE_Program – Mastodon feed of news and announcements about CVE
@CVEprogram – Bluesky feed of news and announcements about CVE
CVE Program - LinkedIn page
CVE-CWE - LinkedIn showcase page
CVE Blog - CVE website
CVE Blog on Medium - Medium
We Speak CVE - Podcast
CVEProject - GitHub
CVE Program Channel - YouTube
CVE Announce Newsletter - Email
If this newsletter was shared with you, subscribe by sending an email message to LMS@mitre.org with the following text in the SUBJECT of the message: “subscribe cve-announce-list” (do not include the quote marks). You may also subscribe on the CVE website at https://www.cve.org/Media/News/NewsletterSignup. To unsubscribe, send an email message to LMS@mitre.org with the following text in the SUBJECT of the message “signoff cve-announce-list” (do not include the quote marks).
CVE® is sponsored by the U.S. Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA). Copyright © 2024, The MITRE Corporation. CVE and the CVE logo are registered trademarks of The MITRE Corporation. MITRE maintains CVE and provides impartial technical guidance to the CVE Board, CVE Working Groups, and CVE Numbering Authorities on all matters related to ongoing development of CVE.
