CVE Blog
The purpose of this blog is to establish a dialogue and get your input on issues and topics important to CVE. We encourage you to use Medium, LinkedIn, or Twitter to comment on, share, or like a post. Right-click and copy here to share this article from the CVE website.
Our CVE Story: Using the CVE Program to Provide Reliable Vulnerability Information
Share or comment
Guest author Milind Kulkarni is a member of the CVE Outreach and Communications Working Group and NVIDIA is a CNA.
Customers and developers often rely on vulnerability descriptions to determine the security risks to their systems. If the information associated with a vulnerability is incomplete or vague, consumers of this information may miscalculate their risk assessments. This can make it difficult to determine the urgency of applying remediations, which may result in systems remaining vulnerable to cyber threats. By becoming a CVE Numbering Authority (CNA) and assigning a CVE ID when disclosing a security vulnerability, you can publish structured and reliable vulnerability information. This provides your customers the benefit of the accurate information they need to prioritize remediation activities necessary to secure their systems.
NVIDIA became a CNA in 2016. After becoming a CNA, we started using the CVE Program to gain significant benefits. Our status as a CNA gives us the authority to assign CVE IDs to vulnerabilities reported in our products and to provide tailored descriptions that get published in the public CVE List, and allows us to own the messaging for our security vulnerabilities.
After a security update is released, we publish a comprehensive security bulletin that serves as an authoritative reference for the CVE Record. In the security bulletin, we provide a brief description about the CVE, severity and vector, security impact, affected versions, instructions on how to apply the remediation, and acknowledgement to the finders for responsible disclosure (if applicable). NVIDIA utilizes industry standards like Common Weakness Enumeration (CWE™) for creating the vulnerability description and Common Vulnerability Scoring System (CVSS) for scoring severity and vector for the CVE Record.
Incorporating the CVE Program may initially appear to be a burden on your security operations because you might think that this will need complete change of process and consume a lot of time, but, in my experience, the CVE Program is flexible enough to easily accommodate your existing processes which, once integrated, become a routine set of activities. The steps for assigning CVE IDs and publishing CVE Records can be completed either manually, or by using automation if you have the resources. The CVE Program can be well adopted by organizations, irrespective of their size, that have a growing product portfolio and consumers. The CVE Program gives a sense that there is a security lifecycle for your products and that you give attention to security issues. Following these simple and straightforward CVE Record Requirements outlined in the CVE Program have helped NVIDIA to integrate the CVE steps in our processes for disclosing vulnerabilities and messaging for the CVE Record.
The CVE Program has greatly helped us streamline our communications and provide reliable vulnerability information to our customers, empowering them to make informed decisions about the security of their systems. If your organization is interested in gaining the benefits from the CVE Program, check out the CVE Program’s guide on How to Become a CNA. You will certainly be in a better position by adopting the CVE Program in your vulnerability disclosure practices, which will benefit not only your company, but also your customers and ecosystem, in making your products and systems more secure than before.
| - | Milind R. Kulkarni |
| Sr. Program Manager, Product Security Incident Response Team (PSIRT) | |
| NVIDIA | |
| December 15, 2020 |
Comments or Questions?
If you have any questions about this article, please comment on the CVE Blog on Medium or use the CVE Request Web Form and select “Other” from the dropdown menu to contact the CVE Program. We look forward to hearing from you!
Recent Posts
- CVE Program Terminology Updated: “CVE Record,” “Top-Level Root,” & More
- Our CVE Story: CVE IDs for Simplifying Vulnerability Communications
- CVE Program Report for Calendar Year Q3-2020
- Our CVE Story: Ancient History of the CVE Program – Did the Microsoft Security Response Center have Precognition? (guest author)
- CVE Program Partners with Cybersecurity & Infrastructure Security Agency to Protect Industrial Control Systems and Medical Devices
- More >>
