The Board of the Common Vulnerabilities and Exposures (CVE) Program has launched two new forums to encourage more contributions and shape the future of the initiative.
The CVE Program, run by the nonprofit MITRE and sponsored by the US Cybersecurity and Infrastructure Security Agency (CISA), faced uncertainty about its future in April after its contract expired. The contract was subsequently extended for 11 months, according to reports.
While the longer-term future of the program remains uncertain beyond this period, the CVE Board appears to be willing to allow more stakeholders to have a voice and shape the program’s strategy.
On July 1, the Board announced the launch of two new forums, the CVE Consumer Working Group (CWG) and the CVE Researcher Working Group (RWG).
Consumer Working Group: For CVE Data Users
The CWG aims to represent the perspectives of end-consumers of CVE List data, including enterprises, security teams, vulnerability analysts, government agencies, managed security service providers (MSSPs), academic researchers, software vendors and tool developers who rely on CVE data to support decision-making, operational defense and risk management.
“The CWG will identify consumer needs, evaluate the usability of CVE data and recommend improvements to ensure that the CVE Program remains aligned with real-world use cases,” said the CVE Board.
The CWG is open to CVE Board members, CVE Numbering Authorities (CNAs) – vetted organizations that publish CVEs –, Authorized Data Publishers (ADPs) – organizations authorized to enrich CVE data – as well as external stakeholders who consume and work with CVE data and individuals “with relevant perspectives on CVE consumption.”
Jean-Baptiste Maillet, a cybersecurity architect specializing in vulnerability management at Ampere Software Technology, welcomed the launch in a post on LinkedIn.
“It took more than 25 years for users to get a voice at the CVE Program, but better late than never,” he said.
Researcher Working Group: Restricted to Research and Bug Bounty CNAs
The RWG is dedicated to establishing working norms for the extended community of designated Researcher CVE Numbering Authorities (CNAs).
“This includes providing guidance and advice to the research community, as well as other research community activities designed to promote the CVE Program,” the CVE Board explained.
The RWG will operate under a TLP:Amber designation, meaning that information shared within the group is restricted to participants and their organizations, with limited further distribution allowed only on a need-to-know basis.
Participation in the RWG is more limited than for the CWG, as only the CVE Board and representatives of currently active CNAs designated as either research CNAs or bug bounty CNAs are welcome.
Individuals without ties to research or bug bounty CNAs may only join RWG meetups when approved by consensus among current members.
Both the CWG and RWG are now open for members to join.
Image credit: CVE/MITRE
No tags.
