CVE Blog

The purpose of this blog is to establish a dialogue and get your input on issues and topics important to CVE. We encourage you to use Medium, LinkedIn, or Twitter to comment on, share, or like a post. Right-click and copy here to share this article from the CVE website.

Our CVE Story: Bringing Our ZDI Community to the CVE Community

Share or comment Medium Twitter LinkedIn

Guest author Shannon Sabens of Zero Day Initiative (ZDI)/Trend Micro, Inc. is a CVE Board Member, and both ZDI and Trend Micro are CNAs.

At ZDI, we have benefitted greatly from working with the CVE Program and becoming a CVE Numbering Authority (CNA). While we aren’t one of the oldest CNAs, we do have a relationship with the CVE Program going back many years. Our history with the program is surely different from that of many vendor CNAs, but I think we have largely shared in the same mutual benefits.

ZDI, as a security research organization and a bug bounty, was formed 15 years ago. We are one of the oldest bug bounties. As a research organization, we used to approach the CVE Program independently and individually for the CVEs we needed assigned to track vulnerabilities that we had vetted and acquired. Once upon a time, we would write to a CVE Coordination email address to provide all the relevant information and to get a CVE. Later, to do this, just like many independent researchers today, we would write to the CVE Coordinators at Request a CVE ID. We would provide the vulnerability type, the vendor or developer name, the affected product name and the version information.

Then, several years ago, ZDI approached the CVE Program about becoming a CNA. At that time, they discussed it, but the bug bounties in general, were still a fairly new concept, and ZDI, as a bug bounty, did not fit the requirements for becoming a CNA.

That said, we were very flattered and pleased, when the CVE Board voted to make ZDI a “full-coverage source.” Perhaps, we can think of this period as a compromise or a transition phase. It meant that in lieu of me, as the ZDI PM, having to contact the CVE Program and request a CVE ID for a report that did not already have a CVE ID or where the affected vendor was not a CNA, the program pro-actively looked at ZDI as a source and assigned CVEs to our fully vetted reports missing CVEs and issued them to ZDI directly. This was an effective step.

Later, when the criteria for becoming a CNA was amended and it became permissible for the bug bounties and research organizations to potentially qualify to become CNAs, ZDI again approached the CVE Program to inquire about becoming a CNA. This time it was agreed that ZDI could meet the current criteria. We studied a up a little and we demonstrated that we could administer the assignments ourselves.

As a CNA, you will provide a statement about your scope. What you, as a CNA, are providing CVEs for is your scope. At ZDI, we asked only that we administer for ourselves what the CVE Program had been doing for ZDI as a “full-coverage source.” It means that where the vendor or CERT we reported a vulnerability to is not a CNA, we can assign a CVE to the vulnerability. Specifically, our scope says exactly: “Products and projects covered by its bug bounty programs that are not in another CNA’s scope.”

Likewise, ZDI assisted the PSIRT for our company’s own products through the CNA on-boarding process. The Trend Micro PSIRT became a CNA too!

The current requirements for becoming a CNA are quite accessible:

  • Have a public vulnerability disclosure policy.
  • Have a public source for new vulnerability disclosures.
  • Agree to the CVE Terms of Use.

As a CNA we have gained a deeper understanding of CVE and become active members of a lively community with a shared commitment to CVE. This has benefitted us as a research organization and has helped us to develop our staff.

If you need CVE education for staff, there are .pdf and video materials available.

We feel the biggest benefit is that we document the message associated with the CVE and we can attest to its transparency and accuracy. Our participation in CVE is a demonstration of our commitment to this.

We sincerely hope that sharing our experience may benefit others who are considering becoming a CNA. If you have questions about the program, we are happy to share our experience or you can contact the fabulous professional team of CNA Coordinators with the CVE Program.

Best Wishes,

- Shannon Sabens
  Sr. Program Manager
  ZDI Program/Trend Micro
  June 22, 2020

Comments or Questions?

If you have any questions about this article, please use the CVE Request Web Form and select “Other” from the dropdown menu to contact the CVE Program. We look forward to hearing from you!

Recent Posts

Page Last Updated or Reviewed: October 16, 2020