The purpose of this blog is to establish a dialogue and get your input on issues and topics important to CVE. Right-click and copy a URL to share a post.

Please use our LinkedIn page, or the CVE Request Web Form by selecting “Other” from the dropdown, to comment on the post below.

CVE Program Report for Calendar Year Q3-2019

Comment on LinkedIn | Share this post

The CVE Program will issue a summary of program milestones and metrics for each quarter of the calendar year (CY), beginning with the summary for CY Q3-2019, below.

CY Q3 Milestones

5 CVE Numbering Authorities (CNAs) Added
Five new CNAs were added: Bitdefender (Romania), GitHub (USA), HCL Software (India), OPPO (China), and Salesforce (USA). DUO merged with Cisco, which remains a CNA.

100+ CNAs Milestone Achieved
On August 14, the CVE Program achieved the milestone of 100 organizations participating as CNAs. By the end of CY Q3, there were 103 CNAs.

Added a New CVE Board Member from Trend Micro/ZDI
Shannon Sabens of Trend Micro Incorporated/Zero Day Initiative (ZDI) was elected to the CVE Board on July 2.

Added a New CVE Working Group Focused on Outreach and Communications
The Outreach and Communications Working Group (OCWG), formed in July, is focused on promoting the CVE Program to achieve program adoption and coverage goals through increased community awareness.

CVE Working Groups (WGs) Information Added to Main CVE Website
Information about contact methods, documents, and projects for the five CVE WGs—which are open to community participation—were added for the community on the CVE website. CVE WGs are actively focused on: automation, strategic planning, CNA coordination, CVE quality, and outreach and communications.

Began CVE 20-Year Anniversary Activities
The CVE Program began its 20-year anniversary by continuing ongoing engagement with the CVE and cybersecurity communities at Black Hat USA 2019 on August 3-8, and DEF CON 27 on August 8-11, in Las Vegas, Nevada, USA.

CY Q3 Metrics

Metrics for CY Q3-2019 populated CVE Entries, reserved CVE Entries, and requests for CVE IDs from the CVE Program Root CNA (currently MITRE), are included below. Annual metrics are also included in the charts for year-to-year comparisons.

Terminology

• Populated – A populated CVE Entry includes the CVE ID, a brief description, and at least one public reference.
• Reserved – CNAs reserve a CVE ID for a given vulnerability prior to assigning and populating it as a CVE Entry on the CVE List.

Populated CVE Entries

As shown in the table below, CVE Program production was 30% above average in Q3 for this calendar year. This includes all CVE Entries populated by all CNAs. An average of 3,960 CVE Entries have been populated per quarter, year-to-date.

Comparison of Populated CVE Entries by Year for All Quarters (figure 1)

Reserved CVE Entries

The CVE Program tracks reserved CVE Entries. As shown in the table below, the number of CVE IDs in the reserved state for Q3 is 10.7% above the previous quarter. The chart below (figure 2) shows the number of CVE IDs added to the CVE List for each year. As we are still in 2019, only the number of CVE IDs before October are shown for 2019. Unlike the table, the CVE IDs in the chart can be either in the reserved or populated state.

Comparison of Reserved CVE Entries by Year for All Quarters - All CNAs Year-to-Date CYQ32019 (figure 2)

Requests for CVE IDs from the Program Root CNA

Finally, the CVE Program Root CNA receives requests for CVE IDs from the community for vulnerabilities and open source software product vulnerabilities that are not already covered by another CNA. The chart below shows the number of unique requesters that received one or more CVE IDs from the Program Root CNA as of CY Q3-2019, as well as by year.

Requesters that Received a CVE ID from Program Root CNA for CYQ32019 and All Years (figure 3)

All CVE Entries Are Assigned by CNAs

All of the CVE Entries cited in the metrics above are assigned by CNAs. CNAs are software vendors, open source projects, coordination centers, bug bounty service providers, and research groups authorized by the CVE Program to assign CVE Entries to vulnerabilities within their own specific scopes of coverage. CNAs join the program from a variety of business sectors; there are minimal requirements, and there is no monetary fee or contract to sign.

Currently, 107 organizations from 20 countries are actively participating in the CVE Program as CNAs. Learn how to become a CNA.

Comments or Questions?

If you have any questions about this article, please use the CVE Request Web Form and select “Other” from the dropdown menu.

We look forward to hearing from you!