The purpose of this blog is to establish a dialogue and get your input on issues and topics important to CVE. We encourage you to use Medium, LinkedIn, or Twitter to comment on, share, or like a post. Right-click and copy here to share this article from the CVE website.

Our CVE Story: Rapid7

Share or comment

Guest author Tod Beardsley of Rapid7 is a CVE Board Member as the CNA Coordination Working Group Liaison, and Rapid7 is a CNA.

Back in 2016, something new and exciting was afoot in the CVE Program and at Rapid7. After a particularly troubled period for the program, the CVE Program was looking for partners in its newest mandate to federate the CVE Program and share the load across new kinds of CVE Numbering Authorities (CNAs). Over its decades-spanning history, things in Coordinated Vulnerability land were getting, well, kind of out of hand. MITRE was (and still is) the “CNA of Last Resort (CNA-LR),” and, while a number of prominent tech companies were already signed up as CNAs, those companies really only issued CVE IDs against their own products.

By the mid-2010s, it became clear that these few tech companies were the source of only a tiny minority of CVE-able software. Turns out, every company is a tech company, pumping out their own applications and software stacks, and increasingly, this CNA of last resort became the CVE of first resort. CERT/CC and other national CERTS around the world could also issue CVEs, but they were primarily focused on matters of civilian government information security.

In the meantime, Rapid7 had established itself as a leading voice for the cause of free and open source security — not just software, but the philosophy of transparency when it comes to security issues and their mitigations. Both Rapid7 and the CVE Program felt that we would do well as natural partners in the mission to enumerate all common vulnerabilities, and in December of 2016, we were named a research CNA.

Becoming a CNA was particularly exciting for me, since coordinated vulnerability disclosure is kind of My Thing. From my teen days of running an underground BBS distributing security know-how in the 1980s (okay, they were hacking docs and how-tos on building red boxes) through my work as a technical lead on the Metasploit Framework, I’ve spent the balance of my life trying to educate people about the realities of hacking and security. Now, armed with a clutch of our very own CVEs, we could start distributing CVE IDs to all and sundry researchers who were doing the right thing by publishing valuable security research and Metasploit modules. This bit of coordination can be a huge hassle for individual researchers, so serving as a CNA for public researcher takes at least that part of the pain out of the coordinated vulnerability process.

It also meant that Rapid7 really had to ramp up and formalize our own internal vulnerability reporting processes. Software developers far prefer working on feature requests rather than patching up embarrassing bugs, but, after all, Rapid7 is a security company, so we all knew we had to lead by example here.

In other words, becoming a CNA forces us to actually practice what we preach with coordinated disclosure and own up to our own (fixed) vulnerabilities as they come up, and I think we’re a much better company for it. It’s like the difference between having a gym membership and having a trainer pestering you to actually go. Being a CNA gives us that external pressure to do the right thing we wanted to do anyway, and for that, I’m super grateful to be a part of the program.

If you’re reading this, and thinking about becoming a CNA to score those sweet security gains, click here to get started; it really is pretty healthy for you, your products, and ultimately, your customers, and as an added bonus, the people involved are some of the kindest and smartest people around the coordinated disclosure scene. It's really a pleasure to work with the CVE Program on this, and I’m looking forward to many more years in this partnership.

Comments or Questions?

If you have any questions about this article, please use the CVE Request Web Form and select “Other” from the dropdown menu to contact the CVE Program. We look forward to hearing from you!

Recent Posts

• Process for Assigning CVE IDs to End-of-Life (EOL) Products
• CVE Program Report for Calendar Year Q2-2020
• Our CVE Story: Bringing Our ZDI Community to the CVE Community (guest author)
• CVE Program Report for Calendar Year Q1-2020
• CNA Rules, Version 3.0 Now in Effect
• More >>