diff --git a/public/images/news/cveProgramReport/reservedCVEIDspublishedCVERecordsQuarterlyTrendQ3CY2024.png b/public/images/news/cveProgramReport/reservedCVEIDspublishedCVERecordsQuarterlyTrendQ3CY2024.png new file mode 100644 index 00000000..0035f8a4 Binary files /dev/null and b/public/images/news/cveProgramReport/reservedCVEIDspublishedCVERecordsQuarterlyTrendQ3CY2024.png differ diff --git a/src/assets/data/news.json b/src/assets/data/news.json index fd98aecc..4e0bbf4d 100644 --- a/src/assets/data/news.json +++ b/src/assets/data/news.json @@ -1,5 +1,198 @@ { "currentNews": [ + { + "id": 432, + "newsType": "blog", + "title": "CVE Program Report for Quarter 3 Calendar Year (Q3 CY) 2024", + "urlKeywords": "CVE Program Report for Q3 2024", + "date": "2024-11-05", + "author": { + "name": "CVE Program", + "organization": { + "name": "CVE Program", + "url": "" + }, + "title": "", + "bio": "" + }, + "description": [ + { + "contentnewsType": "paragraph", + "content": "The CVE Program’s quarterly summary of program milestones and metrics for Q3 CY 2024." + }, + { + "contentnewsType": "paragraph", + "content": "

Q3 CY 2024 Milestones

" + }, + { + "contentnewsType": "paragraph", + "content": "

Twenty-Four CVE Numbering Authorities (CNAs) Added

" + }, + { + "contentnewsType": "paragraph", + "content": "The twenty-four (24) new CNAs added this quarter are listed below under their Top-Level Root (TL-Root) or Root. Scope of coverage is described next to their organization name." + }, + { + "contentnewsType": "paragraph", + "content": "Cybersecurity and Infrastructure Security Agency (CISA) Industrial Control Systems (ICS) Root:" + }, + { + "contentnewsType": "paragraph", + "content": "" + }, + { + "contentnewsType": "paragraph", + "content": "MITRE TL-Root:" + }, + { + "contentnewsType": "paragraph", + "content": "" + }, + { + "contentnewsType": "paragraph", + "content": "

Recognition for CNAs Actively Providing Vulnerability Data Enrichment for CVE Records

" + }, + { + "contentnewsType": "paragraph", + "content": "In September, the CVE Program began publicly recognizing those CNAs that are actively providing enhanced vulnerability data in their CVE Records. Published every two weeks, the “CNA Enrichment Recognition List” recognizes CNAs that provide Common Vulnerability Scoring System (CVSS) and Common Weakness Enumeration (CWE™) information 98% of the time or more within the two-week period of their last published CVE Record. The recognition list was published twice that month, on September 9 with 212 CNAs recognized and on September 23 with 215 CNAs recognized. Read the recognition list announcement here." + }, + { + "contentnewsType": "paragraph", + "content": "

CVE Records Add New CVE Program Container

" + }, + { + "contentnewsType": "paragraph", + "content": "In July, the CVE Program added a new “CVE Program Container” within CVE Records that allows the program to deliver additional information more effectively to downstream users, while making no changes to the CVE Record Format schema used by CVE Program partners. The addition supports CVE Program capabilities including providing additional references and Record state information. Over time, the new container will also store various “value added” program data to further enhance individual CVE Records. Read the full announcement here." + }, + { + "contentnewsType": "paragraph", + "content": "

“CNA Rules v4.0” in Effect as of August 8

" + }, + { + "contentnewsType": "paragraph", + "content": "The “CVE Numbering Authority (CNA) Operational Rules Version 4.0” took effect on August 8, 2024. The previous version, CNA Rules v3.0, was deprecated. After significant community participation and review, the CNA Rules v4.0 document was approved by the CVE Board on May 8, 2024, and published on the CVE website. CNAs were informed at that time that there would be a 90-day transition period to adjust their internal processes to integrate the new rules. That 90-day transition period ended on August 8, 2024, and CNAs are now required to comply with the new rules." + }, + { + "contentnewsType": "paragraph", + "content": "

CVE and AI-related Vulnerabilities

" + }, + { + "contentnewsType": "paragraph", + "content": "Published in July, the “CVE and AI-related Vulnerabilities” blog article is the first in a series intended to document the CVE Board’s efforts to establish swim lanes for AI vulnerability disclosure within CVE. The blog series will discuss the concerns the Board is encountering in defining what is within the responsibilities of the CVE Program. Because not all AI issues are appropriate for a CVE assignment, the blog series will also try to define when other AI security-related initiatives are needed to address concerns outside the CVE Program. In this first blog in the series, the program’s definition of vulnerability is discussed as it relates to AI. Also noted is that the scope of some types of AI-enabled system security issues extend beyond that of the CVE Program, and that further guidelines are needed around vulnerabilities in AI systems that will enable a foundation for the best structuring of PSIRT flow and responsibilities – a key consumer group of CVE data. In future blogs, the Board will provide further information on the program’s directions, additional details and considerations concerning AI-related CVE-ID assignment, and where researchers and security professionals may find additional assistance with AI and assurance challenges. The Board hopes that this blog series will help spark a needed community conversation on AI-related security and the new classes of threats we all must deal with going forward." + }, + { + "contentnewsType": "paragraph", + "content": "

CVE Podcast Provides CNA Onboarding Process Myths Versus Facts

" + }, + { + "contentnewsType": "paragraph", + "content": "In the “CNA Onboarding Process Myths Versus Facts” podcast episode, recorded in August, the truth and facts about the following topics are discussed: duration and complexity of the onboarding process; the fact that there is no fee to participate; ease of incorporating assigning CVE Identifiers (CVE IDs) and publishing CVE Records into an organization’s existing coordinated vulnerability disclosure (CVD) processes; availability of automated tools for CNAs; the CVE JSON Record format and available guidance; role of Roots and Top-Level Roots and how they help CNAs; importance of CNAs determining their own scopes; disclosure policies; the community aspect of being a CNA and the availability of peer support; the value of CNAs participating in one or more CVE Working Groups, especially the CNA Organization of Peers (COOP); and more. Listen to the podcast episode here." + }, + { + "contentnewsType": "paragraph", + "content": "

“Vulnogram User Guide” Available for CNAs

" + }, + { + "contentnewsType": "paragraph", + "content": "A community-developed “Vulnogram User Guide” (PDF, 4.0MB) was posted for CNAs on the CVE website in July. A “live” version of the document is available for CNAs on Google Docs, which continues to be reviewed and updated over time. The guide explains step-by-step how to use Vulnogram with CVE Services to manage users, CVE Identifiers (CVE IDs), and CVE Records. Vulnogram is a tool for creating and editing CVE information in the CVE Record Format, and for generating advisories. This guide is intended for CNAs that may operate at a comparatively smaller scale and are not using custom integration with CVE Services. Vulnogram is not owned or maintained by the CVE Program. Learn more about Vulnogram on GitHub." + }, + { + "contentnewsType": "paragraph", + "content": "

Community Asked to Save the Date for CVE/FIRST VulnCon 2025 on April 7-10, 2025

" + }, + { + "contentnewsType": "paragraph", + "content": "In September, the CVE Program asked the community to “save the date” for CVE/FIRST VulnCon 2025 to be held April 7-10, 2025, at the McKimmon Center in Raleigh, North Carolina, USA. Co-hosted by the CVE Program and FIRST, the purpose of this second annual in-person and virtual event is to “collaborate with various vulnerability management and cybersecurity professionals to develop forward leaning ideas that can be taken back to individual programs for action to benefit the vulnerability management ecosystem. A key goal of the conference is to understand what important stakeholders and programs are doing within the vulnerability management ecosystem and best determine how to benefit the ecosystem broadly.” The call for papers and registration information will be available on the CVE/FIRST VulnCon 2025 conference page, hosted on the FIRST website, when available." + }, + { + "contentnewsType": "paragraph", + "content": "

Q3 CY 2024 Metrics

" + }, + { + "contentnewsType": "paragraph", + "content": "Metrics for Q3 CY 2024 Published CVE Records and Reserved CVE IDs are included below. Annual metrics are also included in the charts for year-to-year comparisons." + }, + { + "contentnewsType": "paragraph", + "content": "Terminology
" + }, + { + "contentnewsType": "paragraph", + "content": "

Published CVE Records

" + }, + { + "contentnewsType": "paragraph", + "content": "As shown in the table below, CVE Program production was 8,591 CVE Records for CY Q3 2024. This is a 27% decrease over the 11,716 records published in CY Q2 2024. This includes all CVE Records published by all CNAs and the two CNAs of Last Resort (CNA-LRs)." + }, + { + "contentnewsType": "table", + "title": "", + "year": "2024", + "quarter": ["Q1","Q2","Q3"], + "dataRowTitle": "CVE Records Published by All CNAs", + "dataRowCounts": ["8,697","11,716","8,591"] + }, + { + "contentnewsType": "paragraph", + "content": "

Reserved CVE IDs

" + }, + { + "contentnewsType": "paragraph", + "content": "The CVE Program tracks reserved CVE IDs. As shown in the table below, 11,250 CVE IDs were in the “Reserved” state in Q3 CY 2024, a 10% decrease over the 12,529 IDs reserved in CY Q2 2024. This includes all CVE IDs reserved by all CNAs and the two CNA-LRs." + }, + { + "contentnewsType": "table", + "title": "", + "year": "2024", + "quarter": ["Q1","Q2","Q3"], + "dataRowTitle": "CVE IDs Reserved by All CNAs", + "dataRowCounts": ["13,499","12,529","11,250"] + }, + { + "contentnewsType": "paragraph", + "content": "

CVE IDs Reserved/CVE Records Published Quarterly Trend by CY

" + }, + { + "contentnewsType": "image", + "imageWidth": "", + "href": "/news/cveProgramReport/reservedCVEIDspublishedCVERecordsQuarterlyTrendQ3CY2024.png", + "altText": "Quarterly trend of reserved CVE IDs and published CVE Records for calendar years for 2020-2024 by all CNAs and CNA-LRs", + "captionText": "Quarterly trend of reserved CVE IDs and published CVE Records by all CNAs and CNA-LRs.
View as tables on the Metrics page." + }, + { + "contentnewsType": "paragraph", + "content": "

CNA Partners Grow the CVE List

" + }, + { + "contentnewsType": "paragraph", + "content": "All of the CVE IDs and CVE Records cited in the metrics above are assigned and published by CNAs and the two CNA-LRs, within their own specific scopes." + }, + { + "contentnewsType": "paragraph", + "content": "CNAs partner with the program from a variety of business sectors; there are minimal requirements, and there is no monetary fee or contract to sign. Currently, 416 organizations (414 CNAs and 2 CNA-LRs) from 40 countries and 1 no country affiliation are partners with the CVE Program." + }, + { + "contentnewsType": "paragraph", + "content": "Learn how to become a CNA or contact one of the following to start the partnering process today:" + }, + { + "contentnewsType": "paragraph", + "content": "" + }, + { + "contentnewsType": "paragraph", + "content": "

Comments or Questions?

" + }, + { + "contentnewsType": "paragraph", + "content": "If you have any questions about this article, please comment on the CVE Blog on Medium or use the CVE Request Web Form and select “Other” from the dropdown menu." + }, + { + "contentnewsType": "paragraph", + "content": "We look forward to hearing from you, but more importantly, we look forward to your participation in the CVE Program!" + } + ] + }, { "id": 431, "newsType": "news",