Episodes
-
In this episode â recorded live at âCVE/FIRST VulnCon 2024â â CVE Board member and CVE podcast host Shannon Sabens of CrowdStrike chats with the three newest CVE Board members: Madison Oliver of GitHub Security Lab, Tod Beardsley of Austin Hackers Anonymous (AHA!), and MegaZone of F5 who joins as the new CVE Numbering Authority (CNA) Liaison to the Board.
Topics include how and why each new member joined the board, the impact that participating in CVE Working Groups had on their decisions to become Board members, how federation and the ongoing addition of new CNA partners has significantly improved the CVE Program, how the program is voluntary, and how those who participate have the ability to make significant impacts in improving vulnerability management at an international level, and more.
-
Host Shannon Sabens speaks with Art Manion and Kent Landfield, all three of whom are CVE Board members and CVE Working Group (WG) chairs, about CVE Records. Discussion topics include the CVE Record Lifecycle, the three âstatesâ of CVE Records (RESERVED, PUBLISHED, and REJECTED), the current âtagsâ in use with CVE Records (EXCLUSIVELY-HOSTED-SERVICE; UNSUPPORTED-WHEN-ASSIGNED; and DISPUTED), the difference between the REJECTED state and the DISPUTED tag, how a DISPUTED tag can be temporary or indefinite, and much more.
-
Missing episodes?
-
Learn how CVE Numbering Authority (CNA) partnersâranging from large to small organizations, proprietary and open-source products or projects, disparate business sectors, and different geographic locationsâare overseen and supported within the CVE Program by âTop-Level Rootsâ and âRoots.â Topics include the roles and responsibilities of the two different types of Roots; how their work benefits the CNAs under their care; how they recruit new CNA partners, including suggestions for addressing upper management concerns if a CNA prospect organization is hesitant to partner as a CNA; how they work with and support their CNAs over time; how the âCouncil of Rootsâ works together to enhance and help improve the program overall; and much more. All current CVE Program Top-Level Roots and Roots are represented in this podcast.
In addition to host Shannon Sabens of CrowdStrike, speakers include Julia Turkevich of the CISA Top-Level Root and CISA ICS Root, Dave Morse of the MITRE Top-Level Root, Cristian Cadenas Sarmiento of the INCIBE Root, Paul Dev of the Google Root, Tomo Ito of the JPCERT/CC Root, and Yogesh Mittal of the Red Hat Root.LINKS:
Benefits of being a CNA partner How to become a CNA partner Partner onboarding process List of current CNA partners -
Shannon Sabens of CrowdStrike and Kent Landfield of Trellix, both of whom are CVE Board members and CVE Working Group chairs, speak about how the new CVE Record format â with its new structured data format and optional information fields â will benefit and provide enhanced value to consumers of CVE content moving forward.
Specific topics discussed include how the new CVE Record format will enable more complete vulnerability information to be captured early on in the advisory process and how that will benefit consumers; the ability for CVE content consumers to streamline and more easily automate their use of CVE Records because the data format is standardized and machine-readable; the automated creation and publication of CVE Records by CVE Numbering Authorities (currently, 320+ CNAs from 35+ countries!), which means more quality CVE Records can be produced at a faster pace than ever before for use by the worldwide community; and, for the ability of official CVE Program âAuthorized Data Publishers (ADPs)â to enrich the content of already published CVE Records with additional risk scores, affected product lists, versions, references, translations, and so on, (learn more about ADPs in this CVE podcast).
Vulnerability scoring methods for CVE Records are also discussed, including NVDâs use of CVSS, CISAâs Known Exploited Vulnerabilities (KEV) Catalog, and more. -
Host Shannon Sabens of CrowdStrike chats with Julia Turkevich of the U.S. Cybersecurity and Infrastructure Security Agency (CISA) about the myths and facts of partnering with the CVE Program as a CVE Numbering Authority (CNA).
How to Become a CNACNA Onboarding Process OverviewCVE Program StructureCISA ICS Top-Level Root partner details pageList of CVE Program Partners
Truth and facts about the following myths are discussed:
Myth #1: Only a specific category of software vendors can become CNAs.
Myth #2: Organizations cannot leverage their existing vulnerability management and disclosure processes when they become a CNA.
Myth #3: The requirements for becoming a CNA are overwhelming and extensive.
Myth #4: A fee is required to become a CNA.
Myth #5: The CNA onboarding process is too complicated and time-consuming.
Myth #6: Organizations cannot choose the Top-Level Root or Root they want to work with.
The purpose and overall structure of the CVE Program and CISA's role in recruiting and managing CNAs within its Top-Level Root scope of industrial control system (ICS) and operation technology (OT) are also discussed.
LINKS: -
Kris Britton of the CVE Program speaks with Lisa Olson of Microsoft about Microsoftâs journey adopting the new CVE Services and CVE JSON 5.0 into their vulnerability management infrastructure and how they used them for the first time as part of Microsoftâs February 2023 Patch Tuesday.
Discussion topics include the CVE JSON 5.0 schema mind map and other schema resources on GitHub; reviewing CVE JSON 5.0 records on the CVE.ORG website; using Vulnogram, or one of the other CVE Services clients, for creating, editing, and reviewing CVE JSON 5.0 records; leveraging the CVE Services Test Environment (learn more here); how separate credentials are required for the official CVE Services and the CVE Services Test Environment; learning about CVE Services and CVE JSON 5.0 updates by attending Automation Working Group (AWG), Quality Working Group (QWG), and CNA Coordination Working Group (CNACWG) meetings; leveraging the CVE Services Slack channel for support; and more.
Resources mentioned in the podcast: https://www.cve.org/Media/News/item/podcast/2023/03/08/Microsofts-Journey-CVE-Services-CVE-JSON-5
-
Shannon Sabens of CrowdStrike chats with Madison Oliver of GitHub Security Lab about the recent release of OpenSSFâs âGuidance for Security Researchers to Coordinate Vulnerability Disclosures with Open Source Software Projectsâ document and the important step of obtaining a CVE ID in the coordinated vulnerability disclosure process for open-source vulnerabilities.
OpenSSF is a âcross-industry organization that brings together the industryâs most important open source security initiatives and the individuals and companies that support them.â The CVD Guide was released by OpenSSFâs Vulnerability Disclosure working group in September 2022, which in 2021 released its âGuide to Implementing a Coordinated Vulnerability Disclosure Process for Open Source Projectsâ document, both of which are discussed by Shannon and Madison.
Other discussion topics in this episode include the importance of finders (e.g., security researchers, hackers, academics, bug bounty hunters, etc.) in vulnerability management, how finders can expedite their requests to software owners with quality information in their initial requests, OpenSSFâs vulnerability report template and how using it can help with requests, importance of obtaining a CVE ID for open source and all vulnerabilities, best practices for working with CVE Numbering Authorities (CNAs), managing expectations for turnaround times, the CVE Programâs CVE Record Dispute Policy, why all participants should remember that they are interacting with people in all aspects of the vulnerability management process, and more.
LINKS:
OpenSSF CVD Guide â https://github.com/ossf/oss-vulnerability-guide/blob/main/finder-guide.md#readme
OpenSSF vulnerability report template â https://github.com/ossf/oss-vulnerability-guide/blob/main/templates/notifications/disclosure.md
OpenSSF Implementing a CVD Process Guide â https://github.com/ossf/oss-vulnerability-guide/blob/main/maintainer-guide.md#readme
CVE Record Dispute Policy â https://www.cve.org/Resources/General/Policies/CVE-Record-Dispute-Policy.pdf
CNAs â https://www.cve.org/ProgramOrganization/CNAs
-
Host Shannon Sabens of CrowdStrike chats with Tod Beardsley of Rapid7, who is the chair of the CVE Program's CNA Coordination Working Group (CNACWG), about the CNACWGâs "CNA Mentoring Program."
Topics discussed include how CVE is a community, how the mentoring program is as little or as much work as youâd like it to be, the many ways in which mentoring can help new CVE Numbering Authorities (CNAs) be successful, the benefits to both organizations, the very simple signup process (a Google form, no login required) that's for CNAs-only, and more.Tod also writes about The CNA Mentoring Program on the CVE Blog.
-
Shannon Sabens of CrowdStrike and Tod Beardsley of Rapid7, both of whom are CVE Board members and CVE Working Group chairs, chat about the CVE Program from their insiderâs perspectives.
Topics include the value of a federated program of CVE Numbering Authorities (CNAs) from around the world for increased assignment of CVE Records; the upside and minimal requirements to becoming a CNA; the types of organizations that are CNAs; how CNAs are a community with a mentoring program; how CNAs assigning CVE Identifiers (CVE IDs) benefits the global IT community; CVE versus NVD; how CNAs impact the program by participating in CVE Working Groups, be it for one-off or longer-term contributions; and how the CVE Program is about people working to improve cybersecurity for all.
Tod also writes about many of these topics in his article, An Inside Look at What Makes the CVE Program Tick, on SCMagazine.
-
Shannon Sabens of CrowdStrike chats with Madison Oliver of GitHub Security Lab about how and why CVEs are assigned, the value of CVEs in vulnerability management, responsible coordination of vulnerability disclosures, the importance of comprehensiveness in security advisories, and why there is no stigma in a CVE. CVE Numbering Authority (CNA) scopes, disclosure policies, turnaround times, and more are discussed in general, as are GitHubâs specific CNA processes and how it helps open-source projects hosted on GitHub with their CVEs and advisories.
Madison also writes about many of these topics in her blog article, Removing the Stigma of a CVE, on the GitHub Blog. -
Shannon Sabens of CrowdStrike and Milind Kulkarni of a NVIDIA discuss what security researchers should expect when reporting vulnerabilities to a Product Security Incident Response Team (PSIRT); how to best to collaborate with them; how to interpret responses from the PSIRT; how to get the best outcome when making a report; supported versus end-of-life (EOL) products; CVE Numbering Authority (CNA) scopes; timing of a patch versus the publication of a CVE Record; and more.
-
Kent Landfield of McAfee and Art Manion of CERT/CC discuss how the CVE Programâs upcoming release of JSON 5.0 will allow for additional and related information to be added to CVE Records after they have been published by CVE Numbering Authorities (CNAs). These additions â such as risk scores, affected product lists, versions, references, translations, etc. â will be made by âAuthorized Data Publishers (ADPs),â which will be organizations authorized within the CVE Program to enrich the records. Also discussed are the benefits of enriched CVE Records to downstream users and the overall vulnerability management community, the use of Stakeholder-specific Vulnerability Categorization (SSVC), and plans and expectations for the upcoming ADP pilot.
-
Shannon Sabens of CrowdStrike chats with Peter Allor, Fåbio Olivé, and Martin Prpic of Red Hat, which is a long-time CVE Numbering Authority (CNA). The benefits of actively participating as a member of the CVE community are discussed, especially in the CVE Working Groups, which allows Red Hat to directly contribute to enhancing CVE automation and quality, as well as strategic planning for future improvements.
Specific topics include Red Hat being a resource for other CNAs, particularly for open-source vendors and projects; the industry-wide value of the upcoming CVE Record JSON Schema to be a universal vulnerability representation; automation of CNA processes and the upcoming release of CVE Services 2.0; Red Hatâs development of a free API, cvelib, for use by all CNAs that can help them interact with the automated services; and more.
CVEÂź - https://www.cve.org/
Red Hat - https://www.redhat.com/
CrowdStrike - https://www.crowdstrike.com/
CVE Working Groups - https://www.cve.org/ProgramOrganization/WorkingGroups
How to become a CNA - https://www.cve.org/PartnerInformation/Partner#HowToBecomeAPartner -
Episode 9 â Three CVE Board members provide the truth and facts about the following myths about the CVE Program:
Myth #1: The CVE Program is run entirely by the MITRE Corporation
Myth #2: The CVE Program is controlled by software vendors
Myth #3: The CVE Program doesnât cover enough types of vulnerabilities
Myth #4: The CVE Program is responsible for assigning vulnerability severity scores
CVE Program â https://www.cve.org
CVE Board â https://www.cve.org/ProgramOrganization/Board -
Our eighth episode is all about how community members actively engage in the six CVE Working Groups (WGs) to help improve quality, automation, processes, and other aspects of the CVE Program as it continues to grow and expand. The chairs and co-chairs of each WG, each of whom is an active member of the CVE community, chat about their WGâs overall mission, current work, and future plans.
Discussion begins with the Transition (TWG), a temporary WG focused on managing the numerous modernization, automation, and process transitions currently underway in the CVE Program. Each of the five main WGs are then discussed in turn: Strategic Planning (SPWG), CNA Coordination (CNACWG), Quality (QWG), Automation (AWG), and Outreach and Communications (OCWG).
How and why to participate, and the impact individuals can make on the program, are also included.
CVE WG details and membership info â https://cve.mitre.org/working_groups.html
CNAs â https://cve.mitre.org/cve/cna.html
How to become a CNA â https://cve.mitre.org/cve/cna.html#become_a_cna
CVE Board â https://cve.mitre.org/community/board/index.html
CVE Program â https://cve.mitre.org
-
Episode 4 â Kelly Todd of the CVE Program interviews security researcher Larry Cashdollar about how he got started researching vulnerabilities and his experiences over the years, how he became the CVE Programâs first-ever independent vulnerability researcher CVE Numbering Authority (CNA), best practices, and the benefits of being able to assign his own CVE IDs to the vulnerabilities he discovers.
CVE - https://cve.mitre.org/
Larry Cashdollar - https://twitter.com/_larry0 -
Episode 3 - Shannon Sabens of CrowdStrike speaks with Jo Bazar of the CVE Program, Erin Alexander of CISA ICS, and Tomo Itou of JPCERT/CC about the structure and objectives of the CVE Numbering Authority (CNA) program, what it means to be a Root and a CNA, the benefits of partnering with the CVE Program, and recommendations for organizations considering becoming a Root or CNA.
CVE - https://cve.mitre.org/
CISA - https://www.cisa.gov/
CrowdStrike - https://www.crowdstrike.com/
JPCERT/CC - https://www.jpcert.or.jp/vh/index.html
How to become a CNA - https://cve.mitre.org/cve/cna.html#become_a_cna -
Episode 2 - Chris Sandulow, Boris Sieklik, and Lena Smart from MongoDB discuss their internal processes for managing CVEs, the importance of CVSS scoring to their customers, the benefits experienced from partnering with the CVE Program as a CVE Numbering Authority (CNA), and recommendations for other organizations considering becoming a CNA.
