CVE Blog
The purpose of this blog is to establish a dialogue and get your input on issues and topics important to CVE. We encourage you to use Medium, LinkedIn, or Twitter to comment on, share, or like a post. Right-click and copy here to share this article from the CVE website.
CVE Program Report for Q4 Calendar Year 2020
Share or comment
The CVE Program’s quarterly calendar year (CY) summary of program milestones and metrics for Q4 CY 2020 is below.
Q4 CY 2020 Milestones
9 CVE Numbering Authorities (CNAs) Added
Nine new CNAs were added: Coalfire Labs (USA), Cyber Security Works (India), Joomla! Project (USA), LINE (Japan), Logitech (Switzerland), Mitsubishi Electric (Japan), NLnet Labs (Netherlands), Secomea (Denmark), and WhiteSource (USA).
CVE Program Terminology Updated
In December, the CVE Program announced that new terminology would be implemented across the CVE website and on CVE’s social media platforms. The changes, including replacing the term CVE Entry with CVE Record, replacing the term Populated with Published as a state of CVE Records, updating the definition of the term Reserved but Public (RBP), and adding a new Top-Level Root CNA role, among others, were made to optimize CVE content on the website for users and to ensure clear and concise communications with the community.
New CVE Logo Implemented
The new CVE logo, which was chosen by the community in a contest held in 2020, was posted on the main CVE website and social media channels in December.
Three “Our CVE Story” Articles Published on CVE Blog
Published on the CVE Blog in October, “Our CVE Story: CVE IDs for Simplifying Vulnerability Communications” was written by CVE Quality Working Group co-chair Chandan Nandakumaraiah of Palo Alto Networks; published in November, “Our CVE Story: The Gift of CVE” was written by CVE community member GS McNamara of Forcepoint; and published in December, “Our CVE Story: Using the CVE Program to Provide Reliable Vulnerability Information” was written by CVE Outreach and Communications Working Group member Milind Kulkarni of NVIDIA. All three organizations are CNAs. Also, CVE Blog articles are also now co-posted on Medium.
Q4 CY 2020 Metrics
Metrics for Q4 CY 2020 published CVE Records and reserved CVE IDs are included below. Annual metrics are also included in the charts for year-to-year comparisons.
Terminology
- Published – When a CNA populates the data associated with a CVE ID as a CVE Record, the state of the CVE Record is Published. The associated data must contain an identification number (CVE ID), a prose description, and at least one public reference.
- Reserved – The initial state for a CVE Record; when the associated CVE ID is Reserved by a CNA.
- Reserved but Public (RBP) – An RBP is a CVE ID in the “Reserved” state that is referenced in one or more public resources, but for which the details have not be published in a CVE Record.
Published CVE Records
As shown in the table below, CVE Program production was 4,387 CVE Records for CY Q4-2020. There were 18,395 total CVE Records published in 2020, a 6% increase over 2019 in which 17,309 total CVE Records were published. This includes all CVE Records published by all CNAs.
Comparison of Published CVE Records by Year for All Quarters (figure 1)
Reserved CVE IDs
The CVE Program tracks reserved CVE IDs. As shown in the table below, 11,392 CVE IDs were in the “Reserved” state in Q4 CY 2020. In 2020, there were 30,680 total CVE IDs in the Reserved state, a 21% increase over 2019, in which 24,179 total CVE IDs were in the Reserved state. This includes all CVE IDs reserved by all CNAs.
Comparison of Reserved CVE IDs by Year for All Quarters - All CNAs Year-to-Date Q4 CY 2020 (figure 2)
Finally, the CVE Program also tracks RBPs. As shown in the table below, the number of RBPs decreased 65% (-954) in Q4 CY 2020 compared to this same time last year.
Comparison of Reserved but Public (RBP) CVE IDs by Year for All Quarters - All CNAs Year-to-Date Q4 CY 2020 (figure 3)
All CVE IDs Are Assigned by CNAs
All of the CVE IDs cited in the metrics above are assigned by CNAs. CNAs are software vendors, open source projects, coordination centers, bug bounty service providers, hosted services, and research groups authorized by the CVE Program to assign CVE IDs to vulnerabilities and publish CVE Records within their own specific scopes of coverage. CNAs join the program from a variety of business sectors; there are minimal requirements, and there is no monetary fee or contract to sign.
Currently, 152 organizations from 25 countries are actively participating in the CVE Program as CNAs. Learn how to become a CNA.
Comments or Questions?
If you have any questions about this article, please use the CVE Request Web Form and select “Other” from the dropdown menu.
We look forward to hearing from you, but more importantly, we look forward to your participation in the CVE Program!
| - | The CVE Team |
| January 26, 2021 | |
|
CVE Request Web Form (select “Other” from dropdown) |
Recent Posts
- Our CVE Story: Using the CVE Program to Provide Reliable Vulnerability Information (guest author)
- CVE Program Terminology Updated: “CVE Record,” “Top-Level Root,” & More
- Our CVE Story: The Gift of CVE (guest author)
- Our CVE Story: CVE IDs for Simplifying Vulnerability Communications (guest author)
- Our CVE Story: Ancient History of the CVE Program – Did the Microsoft Security Response Center have Precognition (guest author)
- More >>
