CVE Blog

The purpose of this blog is to establish a dialogue and get your input on issues and topics important to CVE. We encourage you to use Medium, LinkedIn, or Twitter to comment on, share, or like a post. Right-click and copy here to share this article from the CVE website.

Our CVE Story: Leading the Way for Vulnerability Disclosures in Physical Security Systems

Share or comment Medium Twitter LinkedIn

Guest Author Rob Cowsley is Cyber Security Architect at Gallagher, and Gallagher is the first New Zealand organization to be authorized as a CVE Numbering Authority (CNA).

As a responsible global security manufacturer, Gallagher acknowledges that the solutions we produced a decade ago were at the forefront of their time, but as security technology evolves, new vulnerabilities present themselves, and it’s how we manage these vulnerabilities today that matters most.

Our continuous improvement mindset, along with a need to streamline and simplify security vulnerability disclosures for the benefit of our customers, inspired our journey to assign CVE IDs to vulnerabilities affecting our product.

Prior to becoming an authorized CVE Numbering Authority (CNA), Gallagher actively assigned CVE IDs through the MITRE CNA of Last Resort to ensure identified vulnerabilities across Gallagher’s security solutions were disclosed. Now that we have the authority to publish our own security vulnerabilities through the CVE Program as CVE Records, we can better communicate this important information to our customers. Furthermore, it allows us to raise awareness of the work we are doing to improve the security of physical systems in an industry that can sometimes be wary of publicly disclosing a vulnerability.

Each year Gallagher releases two software versions of our security software, Command Centre. As part of this product cycle, we ensure that customers are aware of vulnerabilities from previous versions which have been resolved in new releases. In addition to this, we promptly provide maintenance releases to our customers after every software release to ensure all customers using new software have the latest security patches.

Most of our vulnerabilities are found internally through rigorous maintenance and testing. This includes a round of testing conducted by a third-party contractor for every major software release, and from there, they enter a triage process. As the vulnerabilities are being worked on, we look at the potential mitigations and risk involved using CVSS 3.1 to rank the severity of the vulnerability. As a CNA, we release a Security Advisory containing details of any identified vulnerabilities to our customers and list these publicly within a dedicated Security Advisory page on our website. Furthermore, our Responsible Disclosure Policy provides a space for those who wish to report a vulnerability to Gallagher’s internal Security Advisory Committee.

Our strong focus on addressing cyber security threats against physical security systems sees us championing efforts towards responsible vulnerability disclosure in market and educating our Channel Partners and customers about the importance of vulnerability publishing. As part of becoming an authorized CNA, our team underwent training for the CVE Program’s CNA processes and the CVE numbering scheme by the MITRE Top-Level Root and we also conducted an education process with our Channel Partners (security integrators).

Not only has the CVE Program greatly supported us with streamlining our communications to customers and empowering them to be proactive with their security system, but it has also reinforced our credibility and integrity as a manufacturer by demonstrating a level of maturity and trust as a responsible cyber vendor.

- Rob Cowsley
  Cyber Security Architect
  August 17, 2021

Recent Posts

Page Last Updated or Reviewed: August 17, 2021