NCSC may assign CVE numbers to vulnerabilities
The Dutch National Cyber Security Center is authorized as CVE Numbering Authority. This allows the organization to assign CVE numbers to vulnerabilities and security holes, without having to wait for other organizations to do so.
The NCSC was authorized as a CNA this week by the Common Vulnerabilities and Exposures Program, writes the cybersecurity organization. As a result, the NCSC can now independently assign a CVE number to vulnerabilities and security holes, without having to notify other CVE Numbering Authorities. This should enable the organization to better guarantee the confidentiality of vulnerabilities found.
The CVE program assigns vulnerabilities in software and hardware a unique number. This makes it easier to track and refer to vulnerabilities. The numbers are created by CVE Numbering Authorities. In total there are now six CNAs in the Netherlands and one in Belgium.
These authorities are not allowed to assign CVE numbers to all vulnerabilities, but only to vulnerabilities that fall within their domain. For example, many companies are allowed to create CVE numbers for their own software or hardware. In the Netherlands Airbus, for example, can do thatlike Elastic. In addition, there are bodies such as the DIVD, which was the first independent authority to be designated as a CNA in the Netherlands at the beginning of this year.
Companies that are not allowed to register CVE numbers themselves can be assisted by the NCSC. The security center can also issue CVE numbers for vulnerabilities it finds itself. The organization can do this for leaks that ‘affect multiple systems or suppliers and for which the NCSC coordinates’. The organization does not issue CVE numbers for responsible disclosures that come to the government.