The CVE Program’s quarterly summary of program milestones and metrics for Q1 CY 2023.

Q1 CY 2023 Milestones

Seventeen CVE Numbering Authorities (CNAs) Added

The seventeen (17) new CNAs added this quarter are listed below under their Top-Level Root (TL-Root) or Root.

Cybersecurity and Infrastructure Security Agency (CISA) Industrial Control Systems (ICS) TL-Root:

• B. Braun SE for B. Braun’s commercially available products only (Germany)
• CyberDanube for all CyberDanube products, as well as vulnerabilities in third-party hardware/software discovered by CyberDanube that are not in another CNA’s scope (Austria)

MITRE TL-Root:

• Austin Hackers Anonymous (AHA!) for vulnerabilities in the AHA! website and other AHA! controlled assets, as well as vulnerabilities identified in assets owned, operated, or maintained by another organization unless covered by the scope of another CNA (USA)
• dotCMS LLC for all dotCMS product services including the vulnerabilities reported in our open source core located at https://github.com/dotCMS/core (USA)
• Exodus Intelligence for vulnerabilities discovered by Exodus Intelligence as well as acquisitions from independent researchers via its Research Sponsorship Program (RSP) (USA)
• Genetec Inc. for Genetec products and solutions only (Canada)
• Hillstone Networks Inc. for vulnerabilities in our products listed at https://www.hillstonenet.com/hillstone-networks-product-portfolio/ and those products we sell only in China listed at https://www.hillstonenet.com.cn/product-and-service/, not including our websites (China)
• The HISP Centre at the University of Oslo for security issues in DHIS2 open source web and mobile software applications (Norway)
• IDEMIA for all IDEMIA products (supported products and end-of-life/end-of-service products), as well as vulnerabilities in third-party software discovered by IDEMIA that are not in another CNA’s scope (France)
• Liferay, Inc. for all Liferay supported products and end-of-life/end-of-service products (USA)
• National Instruments for NI products only (including National Instruments) (USA)
• Open-Xchange for products and services provided by Open-Xchange, PowerDNS, and Dovecot (Germany)
• Securifera, Inc. for vulnerabilities in vendor products discovered by Securifera, or related parties, while performing vulnerability research or security assessments (USA)
• ServiceNow for all ServiceNow products (supported products and end-of-life/end-of-service products), as well as vulnerabilities in third-party software discovered by ServiceNow that are not in another CNA’s scope (USA)
• Shop Beat Solutions (Pty) LTD for vulnerabilities in Shop Beat products and services and vulnerabilities discovered by Shop Beat unless covered by the scope of another CNA (South Africa)
• STAR Labs SG Pte. Ltd. for vulnerabilities discovered by STAR Labs SG that are not in another CNA’s scope (Singapore)

Red Hat Root:

• Glyph & Cog, LLC for Xpdf open source project, including the xpdf viewer and associated command line tools (USA)

“Hard Deploy” of New CVE Services/CVE JSON 5.0/CVE JSON 5.0 Bulk Downloads in March

The CVE Program achieved a major milestone in its self-service automation goals in March with the hard deploy of the new CVE Services/CVE JSON 5.0/CVE JSON 5.0 Bulk Downloads. CVE JSON 5.0 is the format used by the services for CVE Records and bulk downloads (i.e., all CVE Records and updates are included in a single download file). “Hard deploy” means all issues with CVE Services “soft deploy” have been addressed, and the CVE JSON 5.0 Bulk Download capability is available for community use. CVE Services provides new self-service web forms and open source tools that enable CNAs to reserve any number of CVE IDs in sequential or non-sequential order, and to populate, publish, and update CVE Records. With CVE Services, CNAs save time and reduce costs by directly and efficiently managing their own CVE content. Visit the CVE Services page for information about how to obtain credentials for using the services, a workflow tutorial, demos, and more.

CVE List Downloads in CVE JSON 5.0 Format Available for All CVE Content Consumers

The cvelistV5 repository was launched on GitHub.com in March to provide free bulk downloads of CVE Records in CVE JSON 5.0 format for the worldwide cybersecurity community, per the terms of use. CVE JSON 5.0 (view the schema) is the new official data format for CVE Records and download files. The repository includes release versions of all current CVE Records generated from the official CVE Services API. All download files, including baseline and hourly releases, are available on GitHub, while a single download file of the most recent release is available from the Downloads page on the CVE website. View the “Now Available — CVE List Downloads in CVE JSON 5.0 Format” announcement blog and the repository ReadMe for additional information.

Community Notified Legacy Download Formats to Be Deprecated

As part of the “Now Available — CVE List Downloads in CVE JSON 5.0 Format” announcement about the implementation of the new download format and repository, the community was also notified that the legacy format CVE List downloads (i.e., CSV, HTML, XML, and CVRF), which are derived from the previous format for CVE Records, phased out in the first half of 2024. Any tools or automation that use these old formats may no longer work once the old formats have been deprecated, so organizations should take action now.

Hear About Microsoft’s Journey Adopting CVE Services & CVE JSON 5.0

The “We Speak CVE” podcast series provides new and valuable information to the community about the CVE Program, vulnerability management, and cybersecurity. In the “Microsoft’s Journey Adopting CVE Services & CVE JSON 5.0” podcast episode, published in October, Kris Britton of the CVE Program speaks with Lisa Olson of Microsoft about Microsoft’s journey adopting the new CVE Services and CVE JSON 5.0 into their vulnerability management infrastructure and how they used them for the first time as part of Microsoft’s February 2023 Patch Tuesday.

How Red Hat Supports Open-Source Needs Within the CVE Program

The Red Hat Root published two blogs this quarter to help educate the CNA and open source communities about its role in supporting open source needs within the CVE Program. “Our CVE Story: Why Red Hat Became a Root,” published in January, tells the story of Red Hat’s long-term partnership with the CVE Program as a CNA, how Red Hat is active in CVE working groups, the significant contributions Red Hat has made to the development of the program’s automated CVE Services, and how all of these experiences led to Red Hat’s decision to become a Root. Published in February, “How Red Hat Supports Open-Source Vulnerabilities Within the CVE Program,” provides details about Red Hat’s experience and expertise in open source and its value proposition for being chosen as a Root by current and prospective open source CNAs.

Collaboration Is Focus of CVE Global Summit Spring 2023

On March 22-23, members of the CVE community gathered together in-person and virtually for the CVE Global Summit Spring 2023 to discuss CVE and cybersecurity, best practices, lessons learned, new opportunities, and more. Held twice per year, the summit is a way for CVE community members to regularly collaborate on specific topics in a focused manner. Session topics at the spring summit included an Introduction and State of the CVE Program; a status report on the deployment of CVE Services and the CVE JSON 5.0 Bulk Download capability; a discussion about the forthcoming CNA Rules document currently underway; a process review of the CVE Record Dispute Policy; updates on the CVE Authorized Data Publisher (ADP) pilot; a presentation about how Red Hat’s Root is supporting open source CVE needs; a primer on the CNA Mentoring Program; a CVE Program listening session focused on CNAs; a Top-Level Roots and Roots discussion panel; Working Groups progress and highlights; and an open discussion on program topics of concern to the assembled CNAs; among other topics.

Q1 CY 2023 Metrics

Metrics for Q1 CY 2023 Published CVE Records and Reserved CVE IDs are included below. Annual metrics are also included in the charts for year-to-year comparisons.

Terminology

• Published: When a CNA populates the data associated with a CVE ID as a CVE Record, the state of the CVE Record is Published. The associated data must contain an identification number (CVE ID), a prose description, and at least one public reference.
• Reserved: The initial state for a CVE Record; when the associated CVE ID is Reserved by a CNA.

Published CVE Records

As shown in the table below, CVE Program production was 7,015 CVE Records for CY Q1 2023. This is an 11% increase over the previous quarter of 6,231 records published in CY Q4 2022. This includes all CVE Records published by all CNAs and the two CNAs of Last Resort (CNA-LRs).

Reserved CVE IDs

The CVE Program tracks reserved CVE IDs. As shown in the table below, 9,126 CVE IDs were in the “Reserved” state in Q1 CY 2023, a 12% increase from the 8,030 IDs reserved in the previous quarter CY Q4 2022. This includes all CVE IDs reserved by all CNAs and the two CNA-LRs.

CVE IDs Reserved/CVE Records Published Quarterly Trend by CY

CNA Partners Grow the CVE List

All of the CVE IDs and CVE Records cited in the metrics above are assigned and published by CNAs and the two CNA-LRs, within their own specific scopes.

CNAs join the program from a variety of business sectors; there are minimal requirements, and there is no monetary fee or contract to sign. Currently, 295 organizations from 36 countries have partnered with the CVE Program.

Learn how to become a CNA or contact one of the following to start the partnering process today:

• CISA ICS for Industrial control systems and medical devices (Top-Level Root)
• MITRE for all vulnerabilities, and Open-Source software product vulnerabilities, not already covered by a CNA listed on this website (Top-Level Root)
• Google for Alphabet organizations (Root)
• INCIBE for Spain organizations (Root)
• JPCERT/CC for Japan organizations (Root)
• Red Hat for the entire open source community. Any open source organizations that prefers Red Hat as their Root; organizations are free to choose another Root if it suits them better (Root)

Comments or Questions?

If you have any questions about this article, please comment on the CVE Blog on Medium or use the CVE Request Web Form and select “Other” from the dropdown menu.

We look forward to hearing from you, but more importantly, we look forward to your participation in the CVE Program!

NOTE: This article was revised on July 25, 2023, to update text and links to the most current information.