CVE - CVE Blog “CVE Program Report for Q1 Calendar Year 2021”

TOTAL CVE Records: 240830

NOTICE: Transition to the all-new CVE website at WWW.CVE.ORG and CVE Record Format JSON are underway.

NOTICE: Support for the legacy CVE download formats ended on June 30, 2024.
New CVE List download format is available now on CVE.ORG.

CVE Blog

The purpose of this blog is to establish a dialogue and get your input on issues and topics important to CVE. We encourage you to use Medium, LinkedIn, or Twitter to comment on, share, or like a post. Right-click and copy here to share this article from the CVE website.

CVE Program Report for Q1 Calendar Year 2021

Share or comment

The CVE Program’s quarterly calendar year (CY) summary of program milestones and metrics for Q1 CY 2021 is below.

Q1 CY 2021 Milestones

13 CVE Numbering Authorities (CNAs) Added
Thirteen new CNAs were added, including:

10 by the MITRE Top-Level Root: Arista Networks, Inc. (USA); DeepSurface Security, Inc. (USA); Environmental Systems Research Institute, Inc. (USA); Mautic (USA); Samsung Mobile (South Korea); Sophos Limited (United Kingdom); Swift Project (USA); Synopsys (USA); WPScan (France); and Xen Project (United Kingdom)
2 by the CISA ICS Top-Level Root: Simplinx Ltd. (Turkey) and Xylem (USA)
1 by the JP CERT Root: NEC Corporation (Japan)

CVE Program Podcast Implemented
“We Speak CVE,” a free podcast about cybersecurity, vulnerability management, and the CVE Program was launched with two initial episodes: “How CVE, CISA, and NIST work together to manage vulnerabilities,” and “How MongoDB Manages Its CVEs.”

Two “Our CVE Story” Articles Published on CVE Blog
In February, “Learning to Embrace Recognition and Mitigations of Vulnerabilities as a Strength” was contributed by CVE Outreach and Communications and CNA Coordination working groups member Jonn Perez of Trend Micro, which is also a CNA. In March, “How I Became the CVE Program’s First Vulnerability Researcher CNA” was contributed by independent vulnerability researcher, and CNA, Larry Cashdollar.

New CVE Board Member
Ken Munro of Pen Test Partners (PTP) LLP joined the CVE Board in January. Ken provides the Board with a research community perspective and will help enhance collaboration between the CVE Program and that community.

Q1 CY 2021 Metrics

Metrics for Q1 CY 2021 published CVE Records and reserved CVE IDs are included below. Annual metrics are also included in the charts for year-to-year comparisons.

Terminology

Published – When a CNA populates the data associated with a CVE ID as a CVE Record, the state of the CVE Record is Published. The associated data must contain an identification number (CVE ID), a prose description, and at least one public reference.
Reserved – The initial state for a CVE Record; when the associated CVE ID is Reserved by a CNA.
Reserved but Public (RBP) – An RBP is a CVE ID in the “Reserved” state that is referenced in one or more public resources, but for which the details have not be published in a CVE Record.

Published CVE Records

As shown in the table below, CVE Program production was 4,419 CVE Records for CY Q1-2021. This includes all CVE Records published by all CNAs.

Comparison of Published CVE Records by Year for All Quarters - Q1 CY 2021

Comparison of Published CVE Records by Year for All Quarters (figure 1)

Reserved CVE IDs

The CVE Program tracks reserved CVE IDs. As shown in the table below, 9,455 CVE IDs were in the “Reserved” state in Q1 CY 2021. This includes all CVE IDs reserved by all CNAs.

Comparison of Reserved CVE IDs by Year for All Quarters - Q1 CY 2021

Comparison of Reserved CVE IDs by Year for All Quarters - All CNAs Year-to-Date Q1 CY 2021 (figure 2)

Finally, the CVE Program also tracks RBPs. As shown below, the number of RBPs increased 15% over last quarter.

Comparison of Reserved but Public CVE IDs by Year for All Quarters - Q1 CY 2021

Comparison of Reserved but Public (RBP) CVE IDs by Year for All Quarters - All CNAs Year-to-Date Q1 CY 2021 (figure 3)

All CVE IDs Are Assigned by CNAs

All of the CVE IDs cited in the metrics above are assigned by CNAs. CNAs are software vendors, open source projects, coordination centers, bug bounty service providers, hosted services, and research groups and individuals authorized by the CVE Program to assign CVE IDs to vulnerabilities and publish CVE Records within their own specific scopes of coverage. CNAs join the program from a variety of business sectors; there are minimal requirements, and there is no monetary fee or contract to sign.

Currently, 165 organizations from 27 countries are actively participating in the CVE Program as CNAs. Learn how to become a CNA.

Comments or Questions?

If you have any questions about this article, please comment on the CVE Blog on Medium or use the CVE Request Web Form and select “Other” from the dropdown menu.

We look forward to hearing from you, but more importantly, we look forward to your participation in the CVE Program!