CVE Program Report for Quarter 4 Calendar Year (Q4 CY) 2023
The CVE Program’s quarterly summary of program milestones and metrics for Q4 CY 2023.
Q4 CY 2023 Milestones
22 CVE Numbering Authorities (CNAs) Added
The twenty-two (22) new CNAs added this quarter are listed below under their Top-Level Root (TL-Root) or Root. Scope of coverage is described next to their organization name.
Cybersecurity and Infrastructure Security Agency (CISA) Industrial Control Systems (ICS) Root:
- ARC Informatique: ARC Informatique products and services (France)
- ASR Microelectronics Co., Ltd.: ASR products only (China)
- OTORIO LTD.: All OTORIO products, as well as vulnerabilities in third-party software discovered by OTORIO that are not in another CNA’s scope (Israel)
- Yokogawa Group: Yokogawa Group companies’ products and Yokogawa Group subsidiaries’ products (Japan)
- 1E Limited: All 1E products (including end-of-life/end-of-service products), as well as vulnerabilities in third-party software discovered by 1E that are not in another CNA’s scope (UK)
- ARCON Techsolutions Private Limited: Vulnerabilities in ARCON’s products only (India)
- Caliptra Project: Caliptra Project components and vulnerabilities that are not in another CNA’s scope (USA)
- Checkmarx: Vulnerabilities in Checkmarx products and open-source vulnerabilities discovered by, or reported to, Checkmarx, that are not in another CNA’s scope (Israel)
- DFINITY Foundation: All Internet Computer projects as found on the following GitHub pages: https://github.com/dfinity and https://github.com/dfinity-lab (Switzerland)
- EnterpriseDB Corporation: All EnterpriseDB products and vulnerabilities identified in open-source libraries used by EnterpriseDB products unless covered by another CNA’s scope (USA)
- Fortra, LLC: All Fortra products and vulnerabilities discovered by Fortra in other products not covered by the scope of another CNA (USA)
- HiddenLayer, Inc.: All HiddenLayer systems, services, and products, as well as vulnerabilities in third-party software discovered by HiddenLayer that are not in another CNA’s scope (USA)
- Keeper Security, Inc.: Keeper Security products and services only (USA)
- KCF Technologies, Inc.: all KCF Technologies products including base stations, repeaters, numerous sensor types, and the SMARTdiagnostics cloud software (USA)
- Lexmark International Inc.: Lexmark products only (USA)
- Libreswan Project: Libreswan software (No country affiliation)
- Network Optix: All Network Optix products, including https://www.networkoptix.com/nx-witness and https://www.networkoptix.com/powered-by-nx (USA)
- PaperCut Software Pty Ltd: PaperCut MF, PaperCut NG, PaperCut Hive, PaperCut Pocket, PaperCut Mobility Print, QRdoc, PaperCut Views, PaperCut Multiverse, https://www.papercut.com, and all other PaperCut products and services (Australia)
- SEC Consult Vulnerability Lab: all vulnerabilities discovered in third-party hardware/software by SEC Consult Vulnerability Lab (part of SEC Consult, an Eviden business), which are not in another CNA’s scope (Austria)
- Smile CDR Inc. (doing business as “Smile Digital Health”): all Smile Digital Health products and HAPI FHIR (Canada)
- Wren Security: Wren Security maintained software (Czech Republic)
- WSO2 LLC: WSO2 products and services scoped under Responsible Disclosure Program https://security.docs.wso2.com/en/latest/security-reporting/reward-and-acknowledgement-program/#products-services-in-scope (USA)
Save the Date Announced for CVE/FIRST VulnCon 2024 on March 25–27, 2024
In December, the CVE Program asked the community to “save the date” for CVE/FIRST VulnCon 2024 to be held March 25–27, 2024, at the McKimmon Center in Raleigh, North Carolina, USA. A call for papers, which closed on January 31, 2024, was also announced at this time. Co-hosted by the CVE Program and FIRST, the purpose of this “first-ever in-person and virtual event is to “collaborate with various vulnerability management and cybersecurity professionals to develop forward leaning ideas that can be taken back to individual programs for action to benefit the vulnerability management ecosystem. A key goal of the conference is to understand what important stakeholders and programs are doing within the vulnerability management ecosystem and best determine how to benefit the ecosystem broadly.” The final version of the multi-track conference agenda and other event details are available on the CVE/FIRST VulnCon 2024 conference page hosted on the FIRST website.
OpenSSF Publishes Guide to Becoming a CNA as an Open-Source Project
Open Source Security Foundation (OpenSSF) published a new guide entitled “OpenSSF Guide for Open Source Projects: Becoming a CVE Numbering Authority” on November 27, 2023, on the OpenSSF website. The purpose of the guide is to encourage open source projects to assign CVE IDs and publish CVE Records for their vulnerabilities, and to show how easy it is to do so as a CNA. The CVE Program encourages the use and distribution of this guide and has promoted it on the CVE Blog, in the CVE Announce email newsletter, and on CVE social media.
CVE Community Collaborates at “CVE Program Workshop — Fall 2023”
The CVE Program hosted a virtual “CVE Program Workshop — Fall 2023” for CNAs on November 15, 2023. CVE workshops are a way for the community to regularly collaborate on specific topics in a focused manner. Many sessions of the workshop result in lively and interesting discussion among community members. Topics included “State of the CVE Program,” “CVE Services,” “CVE JSON 5.0 Experiences,” “CVE JSON 5.0 Guidance,” “Program Rules Update,” and “CVE Corpus Hygiene.” Presentation slides from the workshop are available here and all videos are available on the workshop’s playlist on the CVE Program Channel on YouTube.
CVE Records Keep Getting Better and Better for CVE Content Consumers
The CVE Program published a blog in October entitled “CVE Records Keep Getting Better and Better” that detailed the many improvements to the content, structure, and usability of CVE Records resulting from the program’s adoption of CVE JSON as the official CVE Record format. The benefits and impact of these changes are discussed in the blog, including how the new structured format provides the ability for CVE content consumers to streamline and more easily automate their use of CVE Records because the data format is standardized and machine-readable, among other benefits.
CVE Program News and Announcements Now on Mastodon
The community was informed that the CVE Program added Mastodon as one of our social media communications channels. Mastodon users can now follow us there for program news, new partner announcements, updates on community activities, and more at https://mastodon.social/@CVE_Program. The CVE Program also continues to post on X-Twitter on @CVEannounce and @CVEnew, LinkedIn, Buzzsprout, YouTube, and Medium.
Q4 CY 2023 Metrics
Metrics for Q4 CY 2023 Published CVE Records and Reserved CVE IDs are included below. Annual metrics are also included in the charts for year-to-year comparisons.
Terminology
- Published: When a CNA populates the data associated with a CVE ID as a CVE Record, the state of the CVE Record is Published. The associated data must contain an identification number (CVE ID), a prose description, and at least one public reference.
- Reserved: The initial state for a CVE Record; when the associated CVE ID is Reserved by a CNA.
Published CVE Records
As shown in the table below, CVE Program production was 7,876 CVE Records for CY Q4 2023. This is a 12% increase over the 6,936 records published in CY Q3 2023. This includes all CVE Records published by all CNAs and the two CNAs of Last Resort (CNA-LRs).
Reserved CVE IDs
The CVE Program tracks reserved CVE IDs. As shown in the table below, 11,586 CVE IDs were in the “Reserved” state in Q4 CY 2023, a 22% increase over the 9,095 IDs reserved in CY Q3 2023. This includes all CVE IDs reserved by all CNAs and the two CNA-LRs.
CVE IDs Reserved/CVE Records Published Quarterly Trend by CY
CNA Partners Grow the CVE List
All of the CVE IDs and CVE Records cited in the metrics above are assigned and published by CNAs and the two CNA-LRs, within their own specific scopes.
CNAs partner with the program from a variety of business sectors; there are minimal requirements, and there is no monetary fee or contract to sign. Currently, 365 organizations (363 CNAs and 2 CNA-LRs) from 40 countries and 1 no country affiliation are partners with the CVE Program.
Learn how to become a CNA or contact one of the following to start the partnering process today:
- CISA Top-Level Root: Vulnerabilities that are (1) reported to or observed by CISA and (2) affect critical infrastructure, U.S. civilian government, industrial control systems, or medical devices, and (3) are not covered by another CNA’s scope
- CISA ICS Root: Vulnerabilities that are (1) reported to or observed by CISA, (2) affect industrial control systems or medical devices, and (3) are not covered by another CNA’s scope
- MITRE Top-Level Root: Vulnerabilities, and Open-Source software product vulnerabilities, not already covered by a CNA listed on this website
- Google Root: Alphabet organizations
- INCIBE Root: Spain organizations
- JPCERT/CC Root: Japan organizations
- Red Hat Root: The entire open-source community. Any open-source organizations that prefers Red Hat as their Root; organizations are free to choose another Root if it suits them better
Comments or Questions?
Please use our CVE Blog feedback form, comment here on the CVE Blog on Medium, or use the CVE Program Request forms and select “Other” from the dropdown menu, to provide feedback about this article.
We look forward to hearing from you, but more importantly, we look forward to your participation in the CVE Program!