CVE Numbering Authority (CNA) at CERT-In

Indian Computer Emergency Response Team (CERT-In) undertakes responsible vulnerability disclosure and coordination for reported vulnerabilities in accordance with the Responsible Vulnerability Disclosure and Coordination Policy.

Responsible Vulnerability Disclosure and Coordination refers to the process of collection, analysis, mitigation coordination of newly identified cybersecurity vulnerabilities with researchers/finders and affected vendors/organizations/code maintainers. The process aims to minimize adversary advantage while vulnerability is being mitigated. It attempts to ensure vulnerabilities are remediated before they result in any adverse impact.

Common Vulnerabilities and Exposures (CVE) Program and CVE Identifier

The Common Vulnerabilities and Exposures (CVE) Program (https://www.cve.org) is a voluntary, international, community-driven effort to identify, define, catalog, and share information about publicly disclosed cybersecurity Vulnerabilities.

A CVE Identifier (CVE ID) is an alphanumeric string that identifies a publicly disclosed vulnerability. CVE ID assigned to a vulnerability enables multiple parties to discuss and share information with confidence that they are referencing the appropriate vulnerability. This vulnerability identification capability is fundamental to global vulnerability management.

CVE Numbering Authority (CNA)

A CVE Numbering Authority (CNA) is an organization authorized by CVE Program with specific scope and responsibility to regularly assign CVE IDs and publish corresponding CVE Records. In addition to assigning CVE IDs, CNAs also create and publish information about the identified vulnerability in its associated CVE Record with consistent descriptions of vulnerabilities. These CVE records form a catalog (a.k.a. CVE List) that enables anyone to rapidly discover and correlate vulnerability information used to protect systems against attacks.

CERT-In as a CVE Numbering Authority (CNA)

CERT-In has been authorized as one of the CVE Numbering Authority (CNA) under the CNA program. CERT-In as a CNA can assign and publish CVE identifiers for the newly discovered security vulnerabilities found in products manufactured / developed by Indian vendors / OEMs. The primary aim of CVE Numbering Authority at CERT-In is to strengthen trust in "Make in India" globally as well as to nurture responsible vulnerability research in the country. CERT-In as a CVE Numbering Authority acts as an effective interface between industry, researchers, academia and product companies.

Responsible vulnerability disclosure of the products assists the users of the affected products to reduce and sometimes avoid the risks impart on them. CERT-In as a CNA will benefit the organizations and developers who often rely on vulnerability descriptions to determine the security risks to their systems.

CERT-In strongly believes that security researchers play a vital role in ensuring newly-discovered vulnerabilities are addressed appropriately on time working in coordination with the affected vendors/OEMs.

Reporting vulnerabilities to CERT-In

Security vulnerabilities in any product can be reported via email to vdisclose@cert-in.org.in. CERT-In accepts PGP Encrypted emails and attachments. The details of the public key and Vulnerability Reporting Form are available at https://www.cert-in.org.in/RVDCP.jsp.

CERT-In will examine and validate the vulnerability report and process the request in accordance with the Responsible Vulnerability Disclosure and Coordination Policy (https://www.cert-in.org.in/RVDCP.jsp).

CVE Numbering Authority (CNA) at CERT-In will assign CVE ID wherever the vulnerability report qualifies for CVE assignment.

References