News
Keeper Security Becomes a CVE Numbering Authority
October 2023 by Marc Jacob
Keeper Security announced it has been authorized by the Common Vulnerabilities and Exposures (CVE) Program as a CVE Numbering Authority (CNA). Keeper is the first password management company to join this global effort to identify, define and catalog publicly-disclosed cybersecurity vulnerabilities.
As a CNA, Keeper has the ability to directly assign CVE IDs and publish CVE records for vulnerabilities discovered in its own source code and vulnerabilities in third-party software discovered by the Keeper team that are not in another CNA’s scope. Keeper can then publish that information via the CVE List, which information technology and cybersecurity professionals around the world use to coordinate their efforts to prioritize and address the vulnerabilities.
CVE is sponsored by the U.S. Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA). CISA uses the CVE List to compile its Known Exploited Vulnerability Catalog, which organizations use to prioritize remediation of listed vulnerabilities, reducing the likelihood of compromise by known threat actors. The CVE list also feeds into the National Institute of Standards and Technology (NIST) U.S. National Vulnerability Database, which is the government repository of standards-based vulnerability management data represented using the Security Content Automation Protocol.
Keeper Security is committed to the industry best practice of responsible disclosure of potential security issues. Keeper takes the security and privacy of its customers seriously and is committed to protecting their personal data. Keeping users secure is core to Keeper’s values as an organization. Keeper values the input of good-faith researchers and believes that an ongoing relationship with the cybersecurity community helps ensure user security and privacy, and makes the Internet a more secure place overall. This includes encouraging responsible security testing and disclosure of security vulnerabilities.
Keeper performs quarterly application penetration testing on all of its products and systems with 3rd party penetration testers, including NCC Group and Cybertest. These include red-team style penetration tests of both internal and externally-exposed systems with full source code access. Keeper has also partnered with Bugcrowd to manage its bug bounty and Vulnerability Disclosure Program (VDP), which rewards ethical hackers for successfully discovering and reporting vulnerabilities, leveraging the hacker community to continuously uphold Keeper’s high security standards. The Keeper Security VDP can be found at bugcrowd.com/keepersecurity.
