CVE Blog

The purpose of this blog is to establish a dialogue and get your input on issues and topics important to CVE. We encourage you to use Medium, LinkedIn, or Twitter to comment on, share, or like a post. Right-click and copy here to share this article from the CVE website.


Share or comment Medium Twitter LinkedIn

Guest author Tomo Ito of JPCERT/CC is a member of two CVE Program working groups, CNA Coordination (CNACWG) and Outreach and Communications (OCWG), and JPCERT/CC is the first-ever Root in the CVE Program.

When I was first offered the opportunity to contribute to this blog, I was reminded by a member of the OCWG that JPCERT/CC has a unique story and has been a part of the CVE Numbering Authority (CNA) community for a long time. This is true; we were the first CNA to become a Root in the program besides the MITRE Top-Level Root (MITRE TL-Root), and did not have any CNAs under our umbrella for about 3 years — how is that not unique? I gladly accepted the offer, and with some help from my colleagues and their memories, here is our CVE story.

In 2004, vulnerability coordination activities in Japan were minimal. As a government-designated vulnerability coordinator, JPCERT/CC was conducting coordinated vulnerability disclosure (CVD) activities, but we were not global. We coordinated only with Japanese vendors by ourselves, and as for the global coordination (with the vendors located overseas), we depended on CERT/CC, and our Japan Vulnerability Notes (JVN) advisories were in Japanese text only.

Since the world was becoming more and more interdependent, JPCERT/CC recognized the need to conduct global coordination. We also became aware of the CVE Program, which allows for vulnerabilities to be identified, defined, and cataloged. CVE provides a means to communicate globally about cybersecurity vulnerabilities. JPCERT/CC took this as an opportunity to grow and launched a project to become a CNA.

The project started in 2007; JPCERT/CC localized JVN website and all its contents through 2007, and then started to publish English JVN advisories and list CVE IDs on them in May 2008 after the JVN English website launch. For two years, JPCERT/CC made individual requests for CVE IDs to the MITRE TL-Root. Then, in June 2010, we became the world's second (CERT/CC being the first) coordinator CNA.

The first year we became a CNA, we assigned 54 CVE IDs; last year, in 2020, we assigned 157 CVE IDs. Our CNA scope is vulnerability assignments related to our vulnerability coordination role, and the assigning number depends on the cases we handle and publish.

When JPCERT/CC became a Root in 2017, we did not have any CNAs under our umbrella. After a couple of years with no interest from any other Japanese companies, we met with the MITRE TL-Root to discuss our lack of CNAs and devise a new recruitment strategy.

We selected candidates based on the organization’s CVD readiness, such as if the organization conducted a bug bounty program. We traveled around Tokyo, from office to office, to explain the value, need, importance and appeal of the CVE Program.

LINE Corporation and Mitsubishi Electric Corporation bravely stepped up, and in December 2020, the two organizations became the first CNAs under our umbrella. There are currently four CNAs with JPCERT/CC — LINE Corporation, Mitsubishi Electric Corporation, NEC Corporation, and now Toshiba Corporation.

JPCERT/CC has translated the note sections of the CNA Onboarding slides into Japanese, and they are being used for our CNA trainings. Full translation of the documents is soon to come.

Our Root scope right now is “Japanese vendors” and as a neutral organization who understands the importance of global CVD, we would like to expand this to Asia-pacific region.

JPCERT/CC attended bi-weekly meetings with the MITRE TL-Root for about six months and are currently attending monthly Roots meetings with the MITRE TL-Root and CISA-ICS TL-Root. Through the meetings with the MITRE TL-Root, JPCERT/CC is preparing to become a Top-Level Root ourselves, and at the Roots meetings, interesting topics such as scope overlaps and CNA recruiting processes are being discussed.

We have also experimentally started to host quarterly meetings with our CNAs called “CNA Talk.” It is an informal, conversational meeting aimed at providing information and solving issues (if any). We are hoping these meetings will turn into CVE Summit Asia-Pacific, in the future.

After the “reboot” of our Root activities, I began participating in two different working groups in the CVE program — the OCWG and the CNACWG. Both working groups are full of valuable discussions, and I recommend them to anyone who has not participated. Through OCWG, a Roots-specific podcast, “Partnering with the CVE Program,” was recorded and released with Jo Bazar from the MITRE TL-Root, Erin Alexander from CISA ICS TL-Root, and Shannon Sabens, CVE Board member and OCWG chair.

JPCERT/CC matured as a global CVD organization through CVE — we are now a global CVD coordinator, a Root, and have companions who are on the same mission — global safety — from not only Japan, but around the world. We are grateful for all these.

We have a high degree of respect and gratitude to all the CVE participants, as I always learn new things from the CVE community.

- Tomo Ito
  Early Warning Group
  July 7, 2021

Recent Posts

Page Last Updated or Reviewed: July 08, 2021