CVE - CVE Blog “CVE Program Report for Q2 Calendar Year 2021”

TOTAL CVE Records: 240830

NOTICE: Transition to the all-new CVE website at WWW.CVE.ORG and CVE Record Format JSON are underway.

NOTICE: Support for the legacy CVE download formats ended on June 30, 2024.
New CVE List download format is available now on CVE.ORG.

CVE Blog

The purpose of this blog is to establish a dialogue and get your input on issues and topics important to CVE. We encourage you to use Medium, LinkedIn, or Twitter to comment on, share, or like a post. Right-click and copy here to share this article from the CVE website.

CVE Program Report for Q2 Calendar Year 2021

Share or comment

The CVE Program’s quarterly calendar year (CY) summary of program milestones and metrics for Q2 CY 2021 is below.

Q2 CY 2021 Milestones

16 CVE Numbering Authorities (CNAs) Added
Sixteen new CNAs were added, including:

13 by the MITRE Top-Level Root: Axis Communications AB (Sweden); ESET, spol. s r.o. (Slovak Republic); Fidelis Cybersecurity, Inc. (USA); Fluid Attacks (Colombia); GS McNamara LLC (USA); huntr.dev (UK); Octopus Deploy (Australia); Patchstack OÜ (Estonia); Solarwinds (USA); Vaadin, Ltd. (Finland); Wordfence (USA); Zoom Video Communications, Inc. (USA); and Zyxel Corporation (Taiwan)
2 by the CISA ICS Top-Level Root: Becton, Dickinson and Company (USA) and Hitachi ABB Power Grids (Switzerland)
1 by the JPCERT/CC Root: Toshiba Corporation (Japan)

1 Root Organization Added
On June 17, Spanish National Cybersecurity Institute (INCIBE) became a Root for Spain Organizations under the MITRE Top-Level Root. As a Root for Spain Organizations, INCIBE is responsible for ensuring the effective assignment of CVE IDs and publication of CVE Records, implementing the CVE Program rules and guidelines, recruitment and onboarding of new CNAs, managing the CNAs under its care, and resolving disputes within its scope.

CVE Services v1.1.1 Deployed for CNAs in June
The goal of the CVE Services is to simplify and automate the reservation of CVE IDs and the submission and uploading of CVE Records to the CVE List for CNAs. Released June 15-16, CVE Services v1.1.1 updates include implementing new initial User Registry functions/endpoints for CNAs for improved management of their CVE Services users and accounts. In addition, cvelib, a library and a command line interface for the CVE Services API that is free to use by all CNAs, was developed and released by Martin Prpic of Red Hat. CVE Services v1.1.1 is a minor release and is backwards compatible with CVE Services v1.0.1, which was deployed for CNAs in December 2020.

Three “We Speak CVE” Podcast Episodes Published
In June, “How the New CVE Record Format Is a Game Changer” focuses on how the very basic legacy format of CVE Records is being transformed for the future to make CVE Records even more valuable. In May, the CVE Program’s automated CNA CVE ID assignment and CVE Record publishing services are discussed in “Engaging with CVE’s Automated CNA Services.” In April, Larry Cashdollar explains how he became the CVE Program’s first-ever independent vulnerability researcher CNA in “Interview with Larry Cashdollar A Researcher’s Perspective.”

Two “Our CVE Story” Articles Published on CVE Blog
In June, “Our CVE Story: From Robot Security Research to Managing Robot Vulnerabilities” was contributed by CVE community member Endika Gil-Uriarte of Alias Robotics, which is also a CNA. In March, “Our CVE Story: An Open-Source, Community-Based Example” was contributed by long-time CVE Board member Mark Cox of Apache Software Foundation, which is also a CNA.

New CVE Board Member
Chandan Nandakumaraiah of Palo Alto Networks joined the CVE Board in May. Chandan, a long-term active contributor to the CVE Program and current co-chair of the CVE Quality Working Group (QWG), will continue to help CVE to evolve in a positive, user-centric way as a CVE Board member.

CVE Global Summit – Spring 2021
On May 13-14, members of the CVE community gathered together virtually for the “CVE Global Summit – Spring 2021” to discuss CVE and cybersecurity, best practices, lessons learned, new opportunities, and more. Held twice per year, the summit is a way for CVE community members to regularly collaborate on specific topics in a focused manner. Session topics at the spring summit included an Update on CVE Federation; NVD’s CVMAP; Dissecting .Net Vulnerabilities; Enhancing CVE Identification–The Yocto Project Example; How Red Hat operates as a CNA; CVE JSON Schema Version 5.0; NIS2 and CVE; How the Apache CNA Handles Over 300 Subprojects; and Relationships Between CVE IDs and Vulnerability Abstraction; among other topics.

Q2 CY 2021 Metrics

Metrics for Q2 CY 2021 published CVE Records and reserved CVE IDs are included below. Annual metrics are also included in the charts for year-to-year comparisons.

Terminology

Published – When a CNA populates the data associated with a CVE ID as a CVE Record, the state of the CVE Record is Published. The associated data must contain an identification number (CVE ID), a prose description, and at least one public reference.
Reserved – The initial state for a CVE Record; when the associated CVE ID is Reserved by a CNA.
Reserved but Public (RBP) – An RBP is a CVE ID in the “Reserved” state that is referenced in one or more public resources, but for which the details have not be published in a CVE Record.

Published CVE Records

As shown in the table below, CVE Program production was 5,000 CVE Records for CY Q2 2021, a 12% increase over CY Q1 2021. This includes all CVE Records published by all CNAs.

Comparison of Published CVE Records by Year for All Quarters - Q2 CY 2021

Comparison of Published CVE Records by Year for All Quarters (figure 1)

Reserved CVE IDs

The CVE Program tracks reserved CVE IDs. As shown in the table below, 7,895 CVE IDs were in the “Reserved” state in Q2 CY 2021. This includes all CVE IDs reserved by all CNAs.

Comparison of Reserved CVE IDs by Year for All Quarters - Q2 CY 2021

Comparison of Reserved CVE IDs by Year for All Quarters - All CNAs Year-to-Date Q2 CY 2021 (figure 2)

Finally, the CVE Program also tracks RBPs. As shown below, the number of RBPs increased 9% over last quarter.

Comparison of Reserved but Public CVE IDs by Year for All Quarters - Q2 CY 2021

Comparison of Reserved but Public (RBP) CVE IDs by Year for All Quarters - All CNAs Year-to-Date Q2 CY 2021 (figure 3)

All CVE IDs Are Assigned by CNAs

All of the CVE IDs cited in the metrics above are assigned by CNAs. CNAs are software vendors, open source projects, coordination centers, bug bounty service providers, hosted services, and research groups and individuals authorized by the CVE Program to assign CVE IDs to vulnerabilities and publish CVE Records within their own specific scopes of coverage. CNAs join the program from a variety of business sectors; there are minimal requirements, and there is no monetary fee or contract to sign.

Currently, 179 organizations from 30 countries are actively participating in the CVE Program as CNAs. Learn how to become a CNA or contact a Top-Level Root (CISA ICS or MITRE) to start the process today.

Comments or Questions?

If you have any questions about this article, please comment on the CVE Blog on Medium or use the CVE Request Web Form and select “Other” from the dropdown menu.

We look forward to hearing from you, but more importantly, we look forward to your participation in the CVE Program!