F-Secure authorized to be a CVE Numbering Authority (CNA)
August 2020 by Marc Jacob
F-Secure is authorized by the CVE Program to assign Common Vulnerability and Exposures (CVE) identifiers as a CVE Numbering Authority (CNA). CNAs are organizations authorized by the CVE Program to assign CVE IDs to vulnerabilities affecting products within their distinct, agreed-upon scope.
CVEs are publicly disclosed security flaws. Without careful coordination in how these flaws are disclosed, security researchers and software vendors risk providing sensitive information about vulnerabilities to attackers before users have an opportunity to mitigate the risks posed by affected software, essentially increasing people and organizations’ exposure to cyber attacks.
As a CNA for vulnerability researchers, F-Secure is able to assign CVE identifiers to products and projects upon which it performs vulnerability analysis. According to Zak Maples, F-Secure Consulting’s Associate Director for the US, the accreditation will help F-Secure’s researchers and consultants quickly and clearly communicate information about vulnerabilities.
“Security research is a vital part of our work. And as a CNA, we can now take greater ownership of the process, information, and communications that software vendors and users rely on to learn about software vulnerabilities,” explained Maples. “Vendors, our clients, and the public can feel confident that any vulnerabilities we discover are disclosed clearly and timely, and in accordance with CVE Program standards.”
“The Common Vulnerabilities and Exposures (CVE) Team welcomes F-Secure as our newest CVE Numbering Authority (CNA). F-Secure has a strong reputation of contributing to the global cyber security community through F-Secure Labs and frequently publishing valuable cyber information. This experience brings high value to the CVE Team — we welcome this globally trusted partner!” said Scott Lawler, CEO LP3 and CVE Board Member.