CVE Blog

The purpose of this blog is to establish a dialogue and get your input on issues and topics important to CVE. Right-click and copy a URL to share a post, or comment on a post by using our LinkedIn page or the CVE Request Web Form by selecting “Other” from the dropdown.


CVE Program Report for Calendar Year Q2-2020

Comment on LinkedIn | Share this post

The CVE Program’s quarterly calendar year (CY) summary of program milestones and metrics for CY Q2-2020 is below.

CY Q2-2020 Milestones

13 CVE Numbering Authorities (CNAs) Added
Thirteen new CNAs were added: Advanced Micro Devices (USA), CERT@VDE (Germany), GitLab (USA), NortonLifeLock (USA), openEuler (China), OpenVPN (USA), Pegasystems (USA), Sierra Wireless (Canada), Silver Peak Systems (USA), Teradici (Canada), Vivo (China), Xiaomi (China), and Zscaler (USA).

First “Our CVE Story” Blog Article Published on the CVE Website
Published on the CVE Blog in June, “Our CVE Story: Bringing Our ZDI Community to the CVE Community” about how Zero Day Initiative (ZDI) and Trend Micro became CNAs was written by CVE Board member Shannon Sabens.

Added Japanese Translations of CNA Onboarding Slides
Japanese translations of the CNA Program onboarding slides for new CNAs provided by Root CNA JPCERT/CC were added to the CVE website in June: CVE Program Overview, Becoming a CNA, CNA Processes, Assigning CVE IDs, CVE Entry Creation, and CVE Entry Submission Process.

CVE Board Charter Updated
In June, the CVE Board approved “CVE Board Charter,” version 3.2 to add one additional section: Section 2.15 Charter Exceptions. In April, the charter was updated to version 3.1 to add two additional sections about CVE Working Groups: Section 2.13 Disbanding or Pausing Working Groups and Section 2.14 Guidelines.

Added a New CVE Board Member from CISA
Jay Gazlay of U.S. Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) was elected to the CVE Board on May 20.

CY Q2-2020 Metrics

Metrics for CY Q2-2020 published CVE Entries, reserved CVE Entries, and requests for CVE IDs from the CVE Program Root CNA (currently MITRE), are included below. Annual metrics are also included in the charts for year-to-year comparisons.

Terminology

  • Published – A published CVE Entry includes the CVE ID, a brief description, at least one public reference, and is available to the general public on the CVE List.
  • Reserved – CNAs reserve a CVE ID for a given vulnerability prior to assigning and publishing it as a CVE Entry on the CVE List.

Published CVE Entries

As shown in the table below, CVE Program production was 5,010 CVE Entries for CY Q2-2020, a 4% production increase compared to the previous quarter. This includes all CVE Entries published by all CNAs.


Published CVE Entries - All CNAs Year-to-Date CY Q2-2020


Comparison of Published CVE Entries by Year for All Quarters - CY Q2-2020

Comparison of Published CVE Entries by Year for All Quarters (figure 1)


Reserved CVE Entries

The CVE Program tracks reserved CVE Entries. As shown in the table below, the number of CVE IDs in the reserved state was 4,860 for Q2-2020. The chart below (figure 2) shows the number of CVE IDs added to the CVE List for each year. Unlike the table, the CVE IDs in the chart can be either in the reserved or populated state.


Reserved CVE Entries - All CNAs Year-to-Date CY Q2-2020


Comparison of Reserved CVE Entries by Year for All Quarters - CY Q2-2020

Comparison of Reserved CVE Entries by Year for All Quarters - All CNAs Year-to-Date CY Q2-2020 (figure 2)


Requests for CVE IDs from the Program Root CNA

Finally, the CVE Program Root CNA receives requests for CVE IDs from the community for vulnerabilities and open source software product vulnerabilities that are not already covered by another CNA. The chart below shows the number of unique requesters that received one or more CVE IDs from the Program Root CNA as of CY Q2-2020, as well as by year.


Requesters that Received a CVE ID from Program Root CNA for CY Q2-2020 and All Years

Requesters that Received a CVE ID from Program Root CNA for CY Q2-2020 and All Years (figure 3)


All CVE IDs Are Assigned by CNAs

All of the CVE Records cited in the metrics above are published by CNAs. CNAs are software vendors, open source projects, coordination centers, bug bounty service providers, hosted services, and research groups authorized by the CVE Program to assign CVE IDs to vulnerabilities within their own specific scopes of coverage. CNAs join the program from a variety of business sectors; there are minimal requirements, and there is no monetary fee or contract to sign.

Currently, 133 organizations from 23 countries are actively participating in the CVE Program as CNAs. Learn how to become a CNA.

Comments or Questions?

If you have any questions about this article, please use the CVE Request Web Form and select “Other” from the dropdown menu.

We look forward to hearing from you, but more importantly, we look forward to your participation in the CVE Program!

- The CVE Team
  July 29, 2020
  CVE Request Web Form
(select “Other” from dropdown)


Recent Posts

Page Last Updated or Reviewed: August 24, 2020