The purpose of this blog is to establish a dialogue and get your input on issues and topics important to CVE. Right-click and copy a URL to share a post, or comment on a post by using our LinkedIn page or the CVE Request Web Form by selecting “Other” from the dropdown.

CVE Program Report for Calendar Year Q4-2019

Comment on LinkedIn | Share this post

The CVE Program’s quarterly calendar year (CY) summary of program milestones and metrics for CY Q4-2019 is below.

CY Q4-2019 Milestones

7 CVE Numbering Authorities (CNAs) Added
Seven new CNAs were added: ABB (Switzerland), Eaton (Ireland), Opera Software (Norway), OTRS (Germany), SICK AG (Germany), Splunk (USA), and Tigera (USA).

CVE Board Charter Updated
In December, the CVE Board approved “CVE Board Charter,” version 3.0, which includes important updates to the CNA Liaison board member description and requirements, addition of a new section focused on organizational voting, and other updates to voting policies and procedures.

CVE Booth at Black Hat Europe 2019
The CVE Program continued ongoing engagement with the CVE and cybersecurity communities by hosting a CVE Booth at Black Hat Europe 2019 on December 4-5, in London, United Kingdom. Almost all visitors to the booth knew about the CVE Program and its value. However, very few understood that the program is scaling through a federated governance and operational model and how CNAs are critical to the model’s success.

CVE Team at Association for the Advancement of Artificial Intelligence 2019 Fall Symposium Series
The CVE Team continued to engage with the community on topics relevant to cybersecurity and CVE by participating in the “Artificial Intelligence in Government and Public Sector” discussion and other AI topics at the Association for the Advancement of Artificial Intelligence 2019 Fall Symposium Series on November 7-9, in Arlington, Virginia, USA.

CVE 20-Year Anniversary in October
The CVE Program celebrated its 20-year anniversary in October. The CVE Program began in 1999 with 321 entries listed, and since then, the CVE List has become a global, community-driven and continuously growing open data registry with more than 124,000 vulnerabilities listed as of October 2019. A true community effort, the CVE List continues to grow with new CVE Entries added daily by numerous CNAs from around the world populating their own CVE Entries. Learn how to become a CNA.

CY Q4-2019 Metrics

Metrics for CY Q4-2019 populated CVE Entries, reserved CVE Entries, and requests for CVE IDs from the CVE Program Root CNA (currently MITRE), are included below. Annual metrics are also included in the charts for year-to-year comparisons.

Terminology

• Populated – A populated CVE Entry includes the CVE ID, a brief description, at least one public reference, and is available to the general public on the CVE List.
• Reserved – CNAs reserve a CVE ID for a given vulnerability prior to assigning and populating it as a CVE Entry on the CVE List.

Populated CVE Entries

As shown in the table below, CVE Program production of 4,826 CVE Entries for CY Q4-2019 was the second most productive quarter ever with a 34% production increase compared to this same time last year (3,614 for CY Q4-2018). This includes all CVE Entries populated by all CNAs.

Comparison of Populated CVE Entries by Year for All Quarters (figure 1)

Reserved CVE Entries

The CVE Program tracks reserved CVE Entries. As shown in the table below, the number of CVE IDs in the reserved state was 8,444 for Q4-2019, which is a 24% increase compared to this same time last year (6,440 for CY Q4-2018). This increase in Q4 is partly due to CNAs reserving CVE IDs for the next calendar year. The chart below (figure 2) shows the number of CVE IDs added to the CVE List for each year. Unlike the table, the CVE IDs in the chart can be either in the reserved or populated state.

Comparison of Reserved CVE Entries by Year for All Quarters - All CNAs Year-to-Date CY Q4-2019 (figure 2)

Requests for CVE IDs from the Program Root CNA

Finally, the CVE Program Root CNA receives requests for CVE IDs from the community for vulnerabilities and open source software product vulnerabilities that are not already covered by another CNA. The chart below shows the number of unique requesters that received one or more CVE IDs from the Program Root CNA as of CY Q4-2019, as well as by year.

Requesters that Received a CVE ID from Program Root CNA for CY Q4-2019 and All Years (figure 3)

All CVE Entries Are Assigned by CNAs

All of the CVE Entries cited in the metrics above are assigned by CNAs. CNAs are software vendors, open source projects, coordination centers, bug bounty service providers, and research groups authorized by the CVE Program to assign CVE Entries to vulnerabilities within their own specific scopes of coverage. CNAs join the program from a variety of business sectors; there are minimal requirements, and there is no monetary fee or contract to sign.

Currently, 115 organizations from 22 countries are actively participating in the CVE Program as CNAs. Learn how to become a CNA.

Comments or Questions?

If you have any questions about this article, please use the CVE Request Web Form and select “Other” from the dropdown menu.

We look forward to hearing from you, but more importantly, we look forward to your participation in the CVE Program!