Our CVE Story: Bringing our ZDI community to the CVE community

June 22, 2020 | Shannon Sabens

At ZDI, we have benefitted greatly from working with the CVE program and becoming a CNA. While we aren’t one of the oldest CNAs, we do have a relationship with the CVE program going back many years. Our history with the program is surely different from that of many vendor CNAs, but I think we have largely shared in the same mutual benefits.

ZDI, as a security research organization and a bug bounty program, was formed 15 years ago. We are one of the oldest bug bounties. As a research organization, we used to approach the CVE program independently and individually for the CVEs we needed assigned to track vulnerabilities that we had vetted and acquired. Once upon a time, we would write to a CVE Coordination email address to provide all the relevant information and to get a CVE. Later, to do this, just like many independent researchers today, we would write to the CVE Coordinators at ”Request a CVE ID.” We would provide the vulnerability type, the vendor or developer name, the affected product name, and the version information.

Then, several years ago, ZDI approached the CVE program about becoming a CNA. At that time, they discussed it, but the bug bounties in general, were still a fairly new concept, and ZDI, as a bug bounty, did not fit the requirements for becoming a CNA. 

That said, we were very flattered and pleased when the CVE Board voted to make ZDI a “full-coverage source.” Perhaps, we can think of this period as a compromise or a transition phase. It meant that instead of me, as the ZDI PM, having to contact the CVE program and request a CVE ID for a report that did not already have a CVE ID or where the affected vendor was not a CNA, the program pro-actively looked at ZDI as a source and assigned CVEs to our fully vetted reports missing CVEs and issued them to ZDI directly. This was an effective step.

Later, when the criteria for becoming a CNA was amended and it became permissible for the bug bounties and research organizations to potentially qualify to become CNAs, ZDI again approached the CVE program to inquire about becoming a CNA. This time it was agreed that ZDI could meet the current criteria. We studied up a little and we demonstrated that we could administer the assignments ourselves.

As a CNA, you will provide a statement about your scope. What you, as a CNA, are providing CVEs for is your scope. At ZDI, we asked only that we administer for ourselves what the CVE program had been doing for ZDI as a “full-coverage source.” It means that where the vendor or CERT we reported a vulnerability to is not a CNA, we can assign a CVE to the vulnerability.  Specifically, our scope says exactly: “Products and projects covered by its bug bounty programs that are not in another CNA’s scope.”

Likewise, ZDI assisted the PSIRT for our company’s products through the CNA on-boarding process. The TrendMicro PSIRT became a CNA too!

The current requirements for becoming a CNA are quite accessible.

- Have a public vulnerability disclosure policy
- Have a public source for new vulnerability disclosures
- Agree to the CVE Terms of Use

As a CNA we have gained a deeper understanding of CVE and become active members of a lively community with a shared commitment to CVE.  This has benefitted us as a research organization and has helped us to develop our staff.

If you need CVE education for staff, there are .pdf and video materials available.

We feel the biggest benefit is that we document the message associated with the CVE and we can attest to its transparency and accuracy. Our participation in CVE is a demonstration of our commitment to this.

We sincerely hope that sharing our experience may benefit others who are considering becoming a CNA. If you have questions about the program, we are happy to share our experience or you can contact the fabulous professional team of CNA Coordinators with the CVE Program.

Best Wishes,

Shannon Sabens
Sr. Program Manager
ZDI Program
Trend Micro