liujingang09, openEuler Security Committee |
openEuler Becomes a Member of the CNA Program
The openEuler community attaches great importance to the community version security. To quickly respond to and handle security issues related to the openEuler, the community has developed a complete vulnerability management policy. On June 24, 2020, openEuler joins the CVE Numbering Authority (CNA) Program. Currently, openEuler is entitled to assign and manage CVEs related to the openEuler community. By joining the CNA Program, openEuler applies mature vulnerability management standards in the industry to promote the community cyber security.
The security committee of openEuler community is responsible for building community security engineering and improving vulnerability response capabilities. We hope that security experts and enthusiasts who are interested in openEuler can join our hands to enhance the openEuler community security.
Vulnerability management policy：
What is CVE?
- CVE is an international, community-based effort that maintains a community-driven, open data registry of vulnerabilities.
- The CVE IDs assigned through the registry enable program stakeholders to rapidly discover and correlate vulnerability information used to protect systems against attacks.
- The CVE List is built by CVE Numbering Authorities (CNAs). Every CVE Entry added to the list is assigned by a CNA.
- The CVE List feeds the U.S. National Vulnerability Database (NVD).
- CVE enables two or more people or tools to refer to a vulnerability and know they are talking about the same thing, resulting in significant time and cost savings.
CVE is Community Driven:
- The CVE Program relies on the community (vendors, end users, researchers, and more) to discover and register vulnerabilities.
- CVE IDs are assigned by CVE Numbering Authorities (CNAs), which are operated on a voluntary basis by participating organizations.
- The CVE Board, which drives the direction of the CVE Program, consists of industry, academic, and government representatives from around the world.
- CVE Working Groups develop the program’s policies (approved by the CVE Board) and are open to the community.
- The CVE Program is sponsored by the Cybersecurity and Infrastructure Security Agency (CISA, https://www.cisa.gov/of the U.S. Department of Homeland Security (DHS) and is operated by the MITRE Corporation in close collaboration with international industry, academic, and government stakeholders
What are CNAs (CVE Numbering Authorities)
- CNAs are organizations authorized by the CVE Program to assign CVE IDs to vulnerabilities affecting products within their distinct, agreed-upon scope.