Original Post: The CVE program’s new rules: will they affect your vulnerability management?
The content discusses the Common Vulnerabilities and Exposures (CVE) Program, which catalogs publicly known cybersecurity vulnerabilities and is managed by MITRE Corporation. It emphasizes that organizations are not required to submit CVEs for internally discovered vulnerabilities. The program consists of over 380 partners, classified into various categories such as Top-Level Roots, Roots, CNAs (CVE Numbering Authorities), and CNA-LRs. These partners are responsible for assigning CVE IDs and managing vulnerability information.
The article then details a major update to the CNA Rules (version 4.0) set to take effect in August 2024, highlighting three significant changes:
- Right of First Refusal (4.2.1.1): The CNA with the most appropriate scope must be contacted first to assign a CVE ID.
- Technology-neutral Assignments (4.2.3): CNAs must avoid bias towards any specific technology platform when assigning CVEs.
- Clarity for CVE Assignments: Specifies criteria for what constitutes a vulnerability worthy of a CVE ID.
Ambiguities remain around issues like vulnerabilities in upstream software dependencies and the term "Independently Fixable Vulnerability." Real-world examples, such as the HTTP/2.0 protocol vulnerabilities, illustrate these complexities.
The expected impact of these new rules includes a more flexible and inclusive CVE assignment process, potentially increasing the number of recognized cybersecurity threats. Increases in CVE submissions are anticipated, with predictions suggesting a significant rise in approved CVEs in the coming years.
The document provides additional resources for further information on the CVE Program and its structure.
Go here to read the Original Post