CNA activity report - 2 organizations from Japan newly added as CNAs - JPCERT/CC Eyes

Today on December 4, 2020, announcements regarding new CNAs (CVE Numbering Authority) were made from The MITRE Corporation and 2 vendors in Japan.

The MITRE Corporation
LINE Added as CVE Numbering Authority (CNA)
Mitsubishi Electric Added as CVE Numbering Authority (CNA)

LINE Corporation
LINE becomes a CVE Numbering Authority (CNA)

Mitsubishi Electric Corporation
Initiatives Regarding Product Security｜MITSUBISHI ELECTRIC Global website

Following the announcements, I will speak on CVE (Common Vulnerabilities and Exposures) and our activities related to it.

CNAs' role is to assign CVE identifiers to vulnerabilities existing in individual products. CVE is the de facto standard for vulnerability identification and naming and is used globally. As a CNA, JPCERT/CC assigns CVE IDs to reported vulnerabilities, when publishing the advisories on JVN. However, considering the nature of CVE IDs, it would be more natural for the product developers who can acknowledge and verify the vulnerabilities to assign CVE IDs on their own, than by the organizations who coordinate and publish vulnerability information. The involvement of the 2 new CNAs is welcome by the CVE program, as vendors' participation to the program as CNAs is highly encouraged.

JPCERT/CC not only having assigned CVE IDs, but also has been acting as a Root CNA, who coordinates between the CNAs and stakeholders in its own scope, since 2018. Currently, other than JPCERT/CC, MITRE and CISA ICS act as a Root CNA.

One of the Root CNA missions is to invite and create new CNAs under its umbrella. We would like to express our gratitude to the 2 organizations for their consents to become a CNA and are happy to have wonderful companions when starting to diffuse the CVE program globally.

As a member of the CVE program, we also conduct activities other than CNA recruitments. I will touch on one of the topics which JPCERT/CC has recently been working on.

In the CVE Program, besides CNA recruitment, several activities are conducted to spread the understandings of the CVE program, such as document publications and the localization activities. JPCERT/CC has recently translated CNA on-boarding documents written in English into Japanese. If you are interested in the documents, please see the page
https://cve.mitre.org/cve/cna.html

We will continue striving to diffuse the CVE program through CNA recruitment and localization works. If you are interested in becoming a CNA or have any opinions on this topic, please contact us at vuls@jpcert.or.jp.

Tomo Ito, Early Warning Group

伊藤智貴 (Tomo Ito)

Joined JPCERT/CC as a developers' contact information finder. Currently a vulnerability coordinator/international collaboration specialist in Early Warning Group and works on CVE, SBOM and ISO/IEC JTC 1/SC 27/WG 3. Gave presentation on SBOM at FIRST Annual Conference 2020.Other time making music.