Skip to content

Commit

Permalink
Merge pull request #2366 from CVEProject/content-rjr-2359
Browse files Browse the repository at this point in the history 
#2359 Add 1 new Blog
  • Loading branch information
@jdaigneau5
jdaigneau5 authored Nov 28, 2023
2 parents bd51c37 + b5c9c2a commit 0f35952
Show file tree
Hide file tree
Showing 2 changed files with 206 additions and 1 deletion.
Binary file added ...ws/cveProgramReport/reservedCVEIDspublishedCVERecordsQuarterlyTrendQ3CY2023.png
View file
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
207 changes: 206 additions & 1 deletion src/assets/data/news.json
View file
Original file line number Diff line number Diff line change
@@ -1,7 +1,212 @@
{
"currentNews": [
{
"id": 273,
"id": 274,
"newsType": "blog",
"title": "CVE Program Report for Quarter 3 Calendar Year (Q3 CY) 2023",
"urlKeywords": "CVE Program Report for Q3 2023",
"date": "2023-11-28",
"author": {
"name": "CVE Program",
"organization": {
"name": "CVE Program",
"url": ""
},
"title": "",
"bio": ""
},
"description": [
{
"contentnewsType": "paragraph",
"content": "The CVE Program’s quarterly summary of program milestones and metrics for Q3 CY 2023."
},
{
"contentnewsType": "paragraph",
"content": "<h3>Q3 CY 2023 Milestones</h3>"
},
{
"contentnewsType": "paragraph",
"content": "<h4>19 CVE Numbering Authorities (CNAs) Added</h4>"
},
{
"contentnewsType": "paragraph",
"content": "The nineteen (19) new <a href='/ProgramOrganization/CNAs'>CNAs</a> added this quarter are listed below under their <a href='/ResourcesSupport/Glossary?activeTerm=glossaryTLRoot'>Top-Level Root (TL-Root)</a> or <a href='/ResourcesSupport/Glossary?activeTerm=glossaryRoot'>Root</a>. Scope of coverage is described next to their organization name."
},
{
"contentnewsType": "paragraph",
"content": "<strong><a href='/PartnerInformation/ListofPartners/partner/icscert'>Cybersecurity and Infrastructure Security Agency (CISA) Industrial Control Systems (ICS) Root</a>:</strong>"
},
{
"contentnewsType": "paragraph",
"content": "<ul><li><a href='/PartnerInformation/ListofPartners/partner/AlgoSec'>AlgoSec</a>: AlgoSec products only (Israel)</li><li><a href='/PartnerInformation/ListofPartners/partner/ADI'>Analog Devices, Inc.</a> (ADI): Vulnerabilities in ADI firmware and software products (USA)</li><li><a href='/PartnerInformation/ListofPartners/partner/IDBS'>ID Business Solutions</a>: IDBS products as listed on <a target='_blank' href='https://www.idbs.com/products/'>https://www.idbs.com/products/</a> (UK)</li><li><a href='/PartnerInformation/ListofPartners/partner/MIM'>MIM Software Inc.</a>: MIM software products, platforms, and services as well as vulnerabilities reported to MIM Software in third-party components or libraries used by MIM Software products, platforms, and services not covered by another CNA (USA)</li></ul>"
},
{
"contentnewsType": "paragraph",
"content": "<strong><a href='/PartnerInformation/ListofPartners/partner/Google'>Google Root</a>:</strong>"
},
{
"contentnewsType": "paragraph",
"content": "<ul><li><a href='/PartnerInformation/ListofPartners/partner/Mandiant'>Mandiant Inc.</a>: Vulnerabilities in Mandiant products or discovered by Mandiant while performing vulnerability research or security assessments, unless covered by another CNA’s scope (USA)</li></ul>"
},
{
"contentnewsType": "paragraph",
"content": "<strong><a href='/PartnerInformation/ListofPartners/partner/mitre'>MITRE TL-Root</a>:</strong>"
},
{
"contentnewsType": "paragraph",
"content": "<ul><li><a href='/PartnerInformation/ListofPartners/partner/Canon_EMEA'>Canon EMEA</a>: Canon EMEA internally developed services and solutions as well as NT-ware, IRIS, and Therefore (UK)</li><li><a href='/PartnerInformation/ListofPartners/partner/CERT-PL'>CERT.PL</a>: Vulnerabilities in software discovered by CERT.PL, and vulnerabilities reported to CERT.PL for coordinated disclosure, which are not in another CNA’s scope (Poland)</li><li><a href='/PartnerInformation/ListofPartners/partner/CrowdStrike'>CrowdStrike Holdings, Inc.</a>: All CrowdStrike products (USA)</li><li><a href='/PartnerInformation/ListofPartners/partner/Hanwha_Vision'>Hanwha Vision Co., Ltd.</a>: Hanwha Vision (formerly Samsung Techwin and Hanwha Techwin) products and solutions only, including end-of-life (EOL) (South Korea)</li><li><a href='/PartnerInformation/ListofPartners/partner/ICT'>Integrated Control Technology LTD</a> (ICT): All ICT security products (New Zealand)</li><li><a href='/PartnerInformation/ListofPartners/partner/Nokia'>Nokia</a>: All vulnerabilities in Nokia products (Finland)</li><li><a href='/PartnerInformation/ListofPartners/partner/PSF'>Python Software Foundation</a>: Only supported and end-of-life Python versions available at <a target='_blank' href='https://python.org/downloads'>https://python.org/downloads</a> and pip versions available at <a target='_blank' href='https://pypi.org/project/pip'>https://pypi.org/project/pip</a>, and excluding distributions of Python and pip maintained by third-party redistributors (USA)</li><li><a href='/PartnerInformation/ListofPartners/partner/Phoenix'>Phoenix Technologies, Inc.</a>: All Phoenix Technologies products (supported products and end-of-life/end-of-service products), as well as vulnerabilities in third-party software discovered by Phoenix Technologies that are not in another CNA’s scope (USA)</li><li><a href='/PartnerInformation/ListofPartners/partner/ProgressSoftware'>Progress Software Corporation</a>: Vulnerabilities in software published and maintained by Progress Software Corporation (USA)</li><li><a href='/PartnerInformation/ListofPartners/partner/PureStorage'>Pure Storage, Inc.</a>: Pure Storage products only (USA)</li><li><a href='/PartnerInformation/ListofPartners/partner/securin'>Securin</a>: Vulnerabilities found in Securin products and services (including end-of-life/end-of-service products), as well as vulnerabilities in third-party software discovered by Securin that are not in another CNA’s scope (USA)</li><li><a href='/PartnerInformation/ListofPartners/partner/SoftIron'>SoftIron</a>: SoftIron HyperCloud branded products and technologies only (USA)</li><li><a href='/PartnerInformation/ListofPartners/partner/Xerox'>Xerox Corporation</a>: Xerox Corporation issues only (USA)</li></ul>"
},
{
"contentnewsType": "paragraph",
"content": "<strong><a href='/PartnerInformation/ListofPartners/partner/redhat'>Red Hat Root</a>:</strong>"
},
{
"contentnewsType": "paragraph",
"content": "<ul><li><a href='/PartnerInformation/ListofPartners/partner/VULSec'>VULSec Labs</a>: Vulnerabilities discovered by, or reported to, VULSec Labs that are not in another CNA’s scope (Israel)</li></ul>"
},
{
"contentnewsType": "paragraph",
"content": "<h4>Community Informed Legacy CVE Download Formats Will Be Phased Out in 2024</h4>"
},
{
"contentnewsType": "paragraph",
"content": "On July 25, the CVE Program informed the community in a <a href='/Media/News/item/blog/2023/07/25/Legacy-Downloads-being-Phased-Out'>blog post</a> and on social media that legacy CVE download formats will be phased out beginning on January 1, 2024. CVE adopted a new data format March 29, 2023. Downloads in <a href='/AllResources/CveServices#cve-json-5'>CVE JSON 5.0</a>, the new official data format for CVE Records, are hosted in the <a href='https://github.com/CVEProject/cvelistV5' target='_blank'>cvelistV5 repository</a> on GitHub.com."
},
{
"contentnewsType": "paragraph",
"content": "As a result of the new official data format, the legacy CVE content download formats currently provided by the CVE Program (i.e., CSV, HTML, XML, and CVRF) will be phased out over the first half of 2024."
},
{
"contentnewsType": "paragraph",
"content": "To assist consumers with their transition to the new format, the frequency of updates to the legacy download formats will be reduced on the following schedule:"
},
{
"contentnewsType": "paragraph",
"content": "<ul><li><strong>December 31, 2023:</strong> Current daily update schedule ends.</li><li><strong>January 2024:</strong> Once per week updates.</li><li><strong>February 2024:</strong> Every other week updates.</li><li><strong>March–June 2024:</strong> Once per month updates.</li><li><strong>June 30, 2024:</strong> Legacy download formats no longer updated with new CVE Records.</li></ul>"
},
{
"contentnewsType": "paragraph",
"content": "Any tools or automation that use these old formats may no longer work once the old formats have been deprecated, so organizations should act now to adopt the new format."
},
{
"contentnewsType": "paragraph",
"content": "<h4>Community Encouraged to Submit Innovative Ideas and New Feature Requests to the CVE Program</h4>"
},
{
"contentnewsType": "paragraph",
"content": "The CVE Program is actively welcoming innovative ideas and new feature requests from the community in our <a href='https://github.com/CVEProject/Ideas' target='_blank'>CVE Program Ideas</a> repository on GitHub.com. We encourage community members to <a href='https://github.com/CVEProject/Ideas/blob/main/README.md#submitting-a-cve-program-innovative-idea-or-new-feature-request' target='_blank'>submit any suggestions</a> you may have to enhance the CVE Program and help us better serve the broader community. The community is already using the repository and you can view those submissions <a href='https://github.com/CVEProject/Ideas/issues' target='_blank'>here</a>."
},
{
"contentnewsType": "paragraph",
"content": "<h4>CVE Podcast Details How the New CVE Record Format Will Benefit Consumers</h4>"
},
{
"contentnewsType": "paragraph",
"content": "The “<a href='/Media/News/Podcasts'>We Speak CVE</a>” podcast series provides new and valuable information to the community about the CVE Program, vulnerability management, and cybersecurity. In the “<a href='/Media/News/item/podcast/2023/09/26/How-New-CVE-Record-Format-Benefits-Consumers'>How the New CVE Record Format Will Benefit Consumers</a>” podcast episode, published in September, CVE Board Member Shannon Sabens of <a href='/PartnerInformation/ListofPartners/partner/CrowdStrike'>CrowdStrike</a> and Kent Landfield of <a href='/PartnerInformation/ListofPartners/partner/Trellix'>Trellix</a> speak about how the new CVE Record format &mdash; with its new structured data format and optional information fields &mdash; will benefit and provide enhanced value to consumers of CVE content moving forward."
},
{
"contentnewsType": "paragraph",
"content": "<h4>Planning CVE Conferences and Workshops Is Focus of New CVE Working Group</h4>"
},
{
"contentnewsType": "paragraph",
"content": "The new “<a href='/ProgramOrganization/WorkingGroups#VulnerabilityConferenceandEvents'>CVE Vulnerability Conference and Events Working Group (VCEWG)</a>” was created by the <a href='/ProgramOrganization/Board'>CVE Board</a> to provide the CVE community with a forum for planning conferences, workshops, and other CVE community events. This new WG is open to CVE community members such as <a href='/ProgramOrganization/CNAs'>CNAs</a> and the CVE Board as well as public membership, including members of corporate vulnerability management programs and vulnerability management related standards, initiatives and associations. Read the <a href='/Resources/Roles/WorkingGroups/VCEWG/VCEWG-Charter.pdf'>VCEWG charter</a> or request to join the VCEWG <a href='/ProgramOrganization/WorkingGroups#cve-how-to-join'>here</a>."
},
{
"contentnewsType": "paragraph",
"content": "The initial activity of the VCEWG is co-planning <i> <a href='https://www.first.org/conference/vulncon2024/' target='_blank'>CVE/FIRST VulnCon 2024</a></i>, to be held March 25-27, 2024, in Raleigh, North Carolina, USA. The goal of this in-person and virtual event is to “collaborate with various vulnerability management and cybersecurity professionals to develop forward leaning ideas that can be taken back to individual programs for action to benefit the vulnerability management ecosystem.” View the <a href='https://www.first.org/conference/vulncon2024/' target='_blank'>Call for Papers</a>."
},
{
"contentnewsType": "paragraph",
"content": "<h3>Q3 CY 2023 Metrics</h3>"
},
{
"contentnewsType": "paragraph",
"content": "Metrics for Q3 CY 2023 Published <a href='/ResourcesSupport/Glossary?activeTerm=glossaryRecord'>CVE Records</a> and Reserved <a href='/ResourcesSupport/Glossary?activeTerm=glossaryCVEID'>CVE IDs</a> are included below. Annual metrics are also included in the charts for year-to-year comparisons."
},
{
"contentnewsType": "paragraph",
"content": "Terminology<br/><ul><li>Published: When a CNA populates the data associated with a CVE ID as a CVE Record, the state of the CVE Record is Published. The associated data must contain an identification number (CVE ID), a prose description, and at least one public reference.</li><li>Reserved: The initial state for a CVE Record; when the associated CVE ID is Reserved by a CNA.</li></ul>"
},
{
"contentnewsType": "paragraph",
"content": "<h4>Published CVE Records</h4>"
},
{
"contentnewsType": "paragraph",
"content": "As shown in the table below, CVE Program production was 6,936 CVE Records for CY Q3 2023. This is a 7% increase over this same quarter last year of 6,448 records published in CY Q3 2022. This includes all CVE Records published by all <a href='/ResourcesSupport/Glossary?activeTerm=glossaryCNA'>CNAs</a> and the two <a href='/ResourcesSupport/Glossary?activeTerm=glossaryCNALR'>CNAs of Last Resort (CNA-LRs)</a>."
},
{
"contentnewsType": "table",
"title": "",
"year": "2023",
"quarter": ["Q1","Q2","Q3"],
"dataRowTitle": "CVE Records Published by All CNAs",
"dataRowCounts": ["7,015","7,134","6,936"]
},
{
"contentnewsType": "paragraph",
"content": "<h4>Reserved CVE IDs</h4>"
},
{
"contentnewsType": "paragraph",
"content": "The CVE Program tracks reserved CVE IDs. As shown in the table below, 9,095 CVE IDs were in the “Reserved” state in Q3 CY 2023, an 8% increase over this same quarter last year from the 8,325 IDs reserved in CY Q3 2022. This includes all CVE IDs reserved by all CNAs and the two CNA-LRs."
},
{
"contentnewsType": "table",
"title": "",
"year": "2023",
"quarter": [ "Q1","Q2","Q3"],
"dataRowTitle": "CVE IDs Reserved by All CNAs",
"dataRowCounts": ["9,126","10,244","9,095"]
},
{
"contentnewsType": "paragraph",
"content": "<h4>CVE IDs Reserved/CVE Records Published Quarterly Trend by CY</h4>"
},
{
"contentnewsType": "image",
"imageWidth": "",
"href": "/news/cveProgramReport/reservedCVEIDspublishedCVERecordsQuarterlyTrendQ3CY2023.png",
"altText": "Quarterly trend of reserved CVE IDs and published CVE Records for calendar years for 2020-2023 by all CNAs and CNA-LRs",
"captionText": "Quarterly trend of reserved CVE IDs and published CVE Records by all CNAs and CNA-LRs.<br/><a href='/About/Metrics'>View as tables</a> on the Metrics page."
},
{
"contentnewsType": "paragraph",
"content": "<h3>CNA Partners Grow the CVE List</h3>"
},
{
"contentnewsType": "paragraph",
"content": "All of the CVE IDs and CVE Records cited in the metrics above are assigned and published by <a href='/ResourcesSupport/Glossary?activeTerm=glossaryCNA'>CNAs</a> and the two <a href='/ResourcesSupport/Glossary?activeTerm=glossaryCNALR'>CNA-LRs</a>, within their own specific scopes."
},
{
"contentnewsType": "paragraph",
"content": "CNAs <a href='/PartnerInformation/Partner#HowToBecomeAPartner'>partner with the program</a> from a variety of business sectors; there are minimal requirements, and there is no monetary fee or contract to sign. Currently, <a href='/PartnerInformation/ListofPartners'>339 organizations</a> (337 CNAs and 2 CNA-LRs) from <a href='/ProgramOrganization/CNAs#CNAProgramGrowth'>37 countries</a> and 1 no country affiliation are partners with the CVE Program."
},
{
"contentnewsType": "paragraph",
"content": "<a href='/PartnerInformation/Partner#HowToBecomeAPartner'>Learn how to become a CNA</a> or contact one of the following to start the partnering process today:"
},
{
"contentnewsType": "paragraph",
"content": "<ul><li><a href='/PartnerInformation/ListofPartners/partner/CISA'>CISA Top-Level Root</a>: Vulnerabilities that are (1) reported to or observed by CISA and (2) affect critical infrastructure, U.S. civilian government, industrial control systems, or medical devices, and (3) are not covered by another CNA’s scope</li><li><a href='/PartnerInformation/ListofPartners/partner/icscert'>CISA ICS Root</a>: Vulnerabilities that are (1) reported to or observed by CISA, (2) affect industrial control systems or medical devices, and (3) are not covered by another CNA’s scope</li><li><a href='/PartnerInformation/ListofPartners/partner/mitre'>MITRE Top-Level Root</a>: Vulnerabilities, and Open-Source software product vulnerabilities, not already covered by a CNA listed on this website</li><li><a href='/PartnerInformation/ListofPartners/partner/Google'>Google Root</a>: Alphabet organizations</li><li><a href='/PartnerInformation/ListofPartners/partner/INCIBE'>INCIBE Root</a>: Spain organizations</li><li><a href='/PartnerInformation/ListofPartners/partner/jpcert'>JPCERT/CC Root</a>: Japan organizations</li><li><a href='/PartnerInformation/ListofPartners/partner/redhat'>Red Hat Root</a>: The entire open-source community. Any open-source organizations that prefers Red Hat as their Root; organizations are free to choose another Root if it suits them better</li></ul>"
},
{
"contentnewsType": "paragraph",
"content": "<h3>Comments or Questions?</h3>"
},
{
"contentnewsType": "paragraph",
"content": "If you have any questions about this article, please comment on the <a target='_blank' href='https://medium.com/@cve_program'>CVE Blog on Medium</a> or use the <a target='_blank' href='https://cveform.mitre.org/'>CVE Request Web Form</a> and select “Other” from the dropdown menu."
},
{
"contentnewsType": "paragraph",
"content": "We look forward to hearing from you, but more importantly, we look forward to your participation in the CVE Program!"
}
]
},
{
"id": 273,
"newsType": "news",
"title": "Minutes from CVE Board Teleconference Meeting on November 8 Now Available",
"urlKeywords": "CVE Board Minutes from November 8",
Expand Down

0 comments on commit 0f35952

Please sign in to comment.