CVE Blog
The purpose of this blog is to establish a dialogue and get your input on issues and topics important to CVE. We encourage you to use Medium, LinkedIn, or Twitter to comment on, share, or like a post. Right-click and copy here to share this article from the CVE website.
Our CVE Story: The Gift of CVE
Share or comment
Guest author GS McNamara is Principal Application Security Engineer and co-founder of the Global Product Security Incident Response Team (PSIRT) at Forcepoint, and Forcepoint is a CNA.
Forcepoint has partnered with the CVE Program since 2017 as a CVE Numbering Authority (CNA) and has received many benefits from that relationship that continue to have a direct impact on our products. If you are thinking about becoming a CNA, consider the following:
CVE benefits organizations by creating common ground to enable a conversation about managing vulnerabilities whether internally, with peers, or with vendors. Defensive security products can be explicit about the vulnerabilities they protect, which gives the consumer a clear idea of their organization’s residual exposure. People, databases, and tools can all be on the same page.
The value of assigning a vulnerability a convenient CVE ID extends beyond patching. These IDs can be used when tracking corresponding exploits as they’re crafted and used in attacks. As part of a threat intelligence program, CVE IDs help to keep track of threat actors and trends by the vulnerabilities they leverage in their attacks.
CVE benefits producers of hardware, software products, or services with or without bug bounty programs because a CVE ID is an asset that they can offer in lieu of payment to thank a researcher for their effort and participation in a coordinated vulnerability disclosure. This benefits organizations that either don’t want to establish a bug bounty program or those that can’t due to budget considerations or other reasons. Because of the CVE Program, organizations can do this all for free in an official capacity as a CNA for vulnerabilities affecting products within their distinct, agreed-upon scope.
Participation as a CNA can be a sign that an organization has a mature vulnerability management program. Being a CNA also gives the organization the earliest opportunity to direct the conversation about a vulnerability within their scope before it goes public. A CVE ID is something the issuer can attach additional useful information to, such as risk rating, affected versions, mitigations, patches, and whether certain circumstances are required to actually exploit the vulnerability.
CVE benefits researchers by helping them build up a vulnerability research portfolio, full of accomplishments, denoted with globally unique identifiers and the accompanying recognition by established organizations. This is great for researchers looking for an opportunity to establish themselves by getting the recognition they deserve, and especially for those minting their own credentials without needing a formal educational background.
CVE Benefits Us Here at Forcepoint
Participating in the CVE Program has many benefits, and because participation is voluntary, every benefit is a gift. As a CNA, Forcepoint has been able to issue CVE IDs crediting researchers, both external and internal, who have graciously worked with our Product Security Incident Response Team to improve the security of the products and services we make. Being a CNA has given us access to the pulse of the latest developments in the program that will affect us down the road, another gift of CVE, and wherever we can we look to pay it forward.
| - | GS McNamara |
| Principal Application Security Engineer, Co-founder of the Global Product Security Incident Response Team (PSIRT) | |
| Forcepoint | |
| November 16, 2020 |
Comments or Questions?
If you have any questions about this article, please comment on the CVE Blog on Medium or use the CVE Request Web Form and select “Other” from the dropdown menu to contact the CVE Program. We look forward to hearing from you!
Recent Posts
- Our CVE Story: CVE IDs for Simplifying Vulnerability Communications
- CVE Program Report for Calendar Year Q3-2020
- Our CVE Story: Ancient History of the CVE Program – Did the Microsoft Security Response Center have Precognition? (guest author)
- CVE Program Partners with Cybersecurity & Infrastructure Security Agency to Protect Industrial Control Systems and Medical Devices
- Our CVE Story: Rapid7 (guest author)
- More >>
