What are CNAs and what is their purpose?
CNAs are organizations that identify and distributes CVE IDs to researchers and information technology vendors for inclusion in first-time public announcements of new vulnerabilities. They are part of what MITRE and the CVE board have termed a “federated system,” in which dozens of other organizations – 62 at current count – help identify vulnerabilities and assign them an ID number without directly involving MITRE, which is the primary CNA, in the details of the specific vulnerabilities.
Organizations that are CNAs include Adobe, Apple, Cisco, Google, Hewlett Packard Enterprise, Huawei, IBM, Intel, Microsoft, Mozilla, Oracle, Rapid 7, Red Hat, Siemens, Symantec and VMWare, plus organizations like CERT/CC (Computer Emergency Response Team/Coordination Center) and the DWF Project.
How does an organization qualify to become a CNA?
It could be a vendor with a significant user base and established security advisory capability, a regional coordinator such as a CERT, a domain publisher like an Information Sharing and Analysis Center (ISAC) representing a particular sector, or a mature research organization. The organization must be an established distribution point or source for first-time product vulnerability announcements, which may concern their own products.
What is a “root” CNA?
MITRE is the “primary” CNA, while root CNAs cover a certain area or niche. In many cases, a root CNA is a major company like Microsoft that posts vulnerabilities only in its own products. In other cases, a company like Red Hat focuses on open source vulnerabilities.
Seifried adds that applicants have some choices about the role they wish to play. “If you want to be a root CNA (like DWF/JP-CERT/CC or the existing group of commercial companies like Red Hat or Microsoft), you ask MITRE. If you are an open source project, you could go directly to MITRE if you’re large enough (as the Apache Foundation did in past, also prior to the DWF being up and running), or you can go directly to the DWF to become a sub-CNA of the DWF,” he said.
Where can one find the latest version of the CVE List?
New CVE Identifiers are added to the CVE website daily basis and are immediately available. The latest version of the CVE is on the CVE List Master Copy page. A free tool from CERIAS/Purdue University monitors changes to the CVE List. Also, CVE Change Logs provide daily or monthly changes to the list. The tool is a feature of CERIAS' Cassandra incident response database service, which is listed on the CVE-Compatible Products and Services page. Recently assigned CVE Identifiers also appear in the US National Vulnerability Database.
What is the “vetting” process for each new vulnerability or exposure?
Sign up for CIO Asia eNewsletters.