On Sep 7, 2018, MITRE announced that Appthority has joined 89 other organizations as a CVE Numbering Authority (CNA). Appthority is the first CNA that is focused on enterprise mobile threat research, and we’re proud of this designation. We look forward to participating in and supporting the CVE project and ecosystem for the benefit of the security industry and our customers.
What is CVE?
Common Vulnerabilities and Exposures (CVE) is a reference list of public cybersecurity vulnerabilities, made up of entries that describe those vulnerabilities and provide references for them. These references are often used as the vulnerability names, especially in security updates. For example, the recent 2018-09-01 Android Security Bulletin lists 24 CVE entries (often just called “CVEs”) that were fixed as part of the release, and iOS 11.4.1 lists 23 CVEs fixed in the release.
What is a CVE Numbering Authority (CNA)?
A CNA is an organization that can assign and announce CVE entries within a particular scope. Some CNAs are organizations providing CVEs for their own products – for example, Google and Apple in the above examples. Security and vulnerability researchers may also be CNAs, allowing them to assign CVEs to vulnerabilities they discover if another organization is not already responsible for coordination.
How will Appthority assign CVEs?
Appthority’s Mobile Threat Team discovers, researches, and protects our customers from mobile threats. Many of these threats are vulnerabilities in specific applications. We work with app developers to get these vulnerabilities fixed, and practice responsible disclosure – only mentioning the vulnerabilities once enough time has passed for a fix to be created, tested, and released.
As a CNA, Appthority will be able to assign and announce CVEs for these applications when we publish our work, instead of needing to apply for them afterwards. By providing CVE entries for these vulnerabilities, Appthority will make the results of our research easily searchable and accessible to our customers and the larger security community.
What does this mean for our customers?
When we publish research, our customers are already automatically protected from the discovered threats. By including CVE entries for our discoveries at the time of publication, we make it easier for customers to reference the discovered vulnerabilities and show that they are protected from the threat.