The purpose of this blog is to establish a dialogue and get your input on issues and topics important to CVE. Right-click and copy a URL to share a post, or comment on a post by using our LinkedIn page or the CVE Request Web Form by selecting “Other” from the dropdown.

CVE Program Report for Calendar Year Q1-2020

Comment on LinkedIn | Share this post

The CVE Program’s quarterly calendar year (CY) summary of program milestones and metrics for CY Q1-2020 is below.

CY Q1-2020 Milestones

7 CVE Numbering Authorities (CNAs) Added
Seven new CNAs were added: Alias Robotics (Spain), Ampere Computing (USA), Cybellum (Israel), GitHub (Products Only) (USA), Google LLC (USA), Spanish National Cybersecurity Institute (Spain), and Tcpdump Group (Canada).

CNA Rules Version 3.0 Released
Version 3.0 of the CNA Rules took effect on March 5 and was revised with significant input from the CNA community. Version 3.0 was a major update of the CNA Rules. Important updates include refining the roles of Sub-CNAs, Root CNAs, and the Program Root CNA, while adding two new roles: Secretariat and CNA of Last Resort (CNA-LR). Assignment, communication, and administration rules are specified for each role. In addition, separate chapters specify the CVE ID Assignment Rules, which includes the CVE Program’s definition of a vulnerability; CVE Entry Requirements; the Appeals Process; Defining a CNA’s Scope; and a CNA Rules Update chapter with rules for updating the CNA Rules document.

CVE Program Channel on YouTube
The CVE Program Channel on YouTube was launched in March with two playlists, “CVE Basics” with introductory videos for all audiences and “CNA Onboarding Guidance” with several videos of detailed processes and procedures guidance for organizations that have signed on to participate as official CNAs.

CVE Team at RSA Conference 2020
The CVE Team continued to engage with the community on topics relevant to cybersecurity and CVE by attending RSA Conference 2020 on February 24-28, in San Francisco, California, USA. CVE Team members also actively engaged throughout the conference with interested organizations about the benefits of joining the CNA Program.

CVE Team at PSIRT Technical Colloquium 2020
The CVE Team continued to engage with the community on topics relevant to cybersecurity and CVE by participating in the PSIRT Technical Colloquium 2020 on March 4-5, in Durham, North Carolina, USA. CVE Team members also actively engaged throughout the conference with interested organizations about the benefits of joining the CNA Program.

New CVE Logo Chosen by the Community
The CVE Program held a logo contest for the community to select a new CVE logo for the CVE Program. The contest began in January with 38 designers providing 260 initial design concepts, from which the CVE Outreach and Communications Working Group (OCWG) selected 8 finalists for the community to vote upon. The community voting portion of the contest ran for two weeks, and the winning logo was announced to the community on March 6 (see logo here). It will be rolled out on the website, social media accounts, and in other communications materials in the coming months.

CY Q1-2020 Metrics

Metrics for CY Q1-2020 populated CVE Entries, reserved CVE Entries, and requests for CVE IDs from the CVE Program Root CNA (currently MITRE), are included below. Annual metrics are also included in the charts for year-to-year comparisons.

Terminology

• Populated – A populated CVE Entry includes the CVE ID, a brief description, at least one public reference, and is available to the general public on the CVE List.
• Reserved – CNAs reserve a CVE ID for a given vulnerability prior to assigning and populating it as a CVE Entry on the CVE List.

Populated CVE Entries

As shown in the table below, CVE Program production was 4,808 CVE Entries for CY Q1-2020, a 15% production increase compared to this same time last year (3,245 CVE Entries for CY Q1-2019). This includes all CVE Entries populated by all CNAs.

Comparison of Populated CVE Entries by Year for All Quarters (figure 1)

Reserved CVE Entries

The CVE Program tracks reserved CVE Entries. As shown in the table below, the number of CVE IDs in the reserved state was 6,723 for Q1-2020. The chart below (figure 2) shows the number of CVE IDs added to the CVE List for each year. Unlike the table, the CVE IDs in the chart can be either in the reserved or populated state.

Comparison of Reserved CVE Entries by Year for All Quarters - All CNAs Year-to-Date CY Q1-2020 (figure 2)

Requests for CVE IDs from the Program Root CNA

Finally, the CVE Program Root CNA receives requests for CVE IDs from the community for vulnerabilities and open source software product vulnerabilities that are not already covered by another CNA. The chart below shows the number of unique requesters that received one or more CVE IDs from the Program Root CNA as of CY Q1-2020, as well as by year.

Requesters that Received a CVE ID from Program Root CNA for CY Q1-2020 and All Years (figure 3)

All CVE Entries Are Assigned by CNAs

All of the CVE Entries cited in the metrics above are assigned by CNAs. CNAs are software vendors, open source projects, coordination centers, bug bounty service providers, and research groups authorized by the CVE Program to assign CVE Entries to vulnerabilities within their own specific scopes of coverage. CNAs join the program from a variety of business sectors; there are minimal requirements, and there is no monetary fee or contract to sign.

Currently, 120 organizations from 21 countries are actively participating in the CVE Program as CNAs. Learn how to become a CNA.

Comments or Questions?

If you have any questions about this article, please use the CVE Request Web Form and select “Other” from the dropdown menu.

We look forward to hearing from you, but more importantly, we look forward to your participation in the CVE Program!

Recent Posts

• CNA Rules, Version 3.0 Now in Effect
• CNA Rules, Version 3.0 Coming Soon
• CVE Program Report for Calendar Year Q3-2019
• Become a CNA to Assign Your Own CVE IDs
• More >>