What is a CVE and why is it important for your security?

There are “good” hackers. They call themselves security analysts and some even devote their time to working for the common good. They investigate possible vulnerabilities in public and known applications, and when they find a possible security flaw that could endanger the users of those applications, they report that vulnerability to the software manufacturer. There is no reward, they are not paid for it, they do it to make the world safer.

What is a CVE?

This entire process, from the moment the manufacturer accepts the reported vulnerability until it is fixed, is taken to a public reference system called the CVE Database. This is a database maintained by MITRE Corporation (that’s why sometimes it is known as MITRE CVE list) with funds from the National Cyber Security Division of the government of the United States of America.

The CVE Program is an international effort, based on the community and it is based on it to discover vulnerabilities. Vulnerabilities are discovered, assigned and published in the CVE list.

Each CVE uniquely identifies a security problem. This problem can be of different types, but in any case, it is something that if it is not solved but rather stays hidden, someday someone will take advantage of said failure. A CVE simply describes which is the vulnerable application and the version and/or component affected without revealing sensitive information. When the error is corrected, it reports where the solution can be found. Generally a CVE is not made public until the mistake has been corrected, this is especially important, since it guarantees that the users of said application are not subjected to a gratuitous risk when publishing information about the failure. If there were no CVE, researchers would publish such information without coordinating with the manufacturers, producing unacceptable security risks for users who have no way to protect themselves against data that reveals security errors in their systems as users of those applications. Don’t forget that all software vendors have public CVEs published. Nobody is spared.

This consensus between manufacturers and researchers on the way to reveal sensitive information regarding security flaws of an application allows a continuous improvement of the security of public information systems. Although MITRE is originally a US funded organization, there are partner organizations around the world that help to organize CVEs regionally, decentralizing management and helping local manufacturers organize more efficiently.

INCIBE and ARTICA

CVEs are coordinated by CNAs, voluntary organizations that offer themselves to coordinate and resolve disputes when there are conflicting positions between security researchers and manufacturers. The root CNA is MITER, and there are CNAs spread all over the world. Most of the software and hardware manufacturers like Microsoft, CISCO, Oracle, VMware or Dell are CNAs that are part of the CVE program.

INCIBE, the National Cybersecurity Institute of Spain, is a Spanish organization that has recently become a CNA Root, a member with a special status within the CVE hierarchy, as it coordinates the Spanish CNAs. It is also a contact point in the country for receiving vulnerabilities discover n the IT domain, industrial systems and IoT (Internet of Things) devices.

Thanks to its collaboration with INCIBE, ÁRTICA the company behind Pandora FMS, Integria IMS and eHorus has become the official CNA of CVE. This is especially important as it shows Pandora FMS’s commitment to information system security and makes itself available to researchers from all over the world to work on solving any problem that may affect its users.

From this moment on, the program has two hundred one CNA from thirty two countries, ARTICA being number two hundred all over the world and third in Spain. After joining the program, ARTICA will be able to publicly receive any information related to the security of Pandora FMS, Integria IMS or eHorus and process the solution of the problem reliably as well as its public communication.
Our vulnerability management policy allows us to assure any Pandora FMS user that any problem will be dealt with rigorously, prioritizing the impact and mitigating risk in productive environments, while guaranteeing the researcher correct reception, communication and publication in the open of his/her work.

Vulnerability disclosure policy in Pandora FMS

At Pandora FMS, we have a very open policy in this regard. Pandora FMS was born with an open philosophy, this not only means open source, it also means free knowledge and, of course, process transparency. We have a fully public and transparent vulnerability disclosure policy. Over the years, different researchers have contacted us to report security problems in Pandora FMS. Yes, we too have had, and will have, security flaws. And thanks in part to the selfless work of security researchers, we have been correcting many of these flaws. We are so compliant and honest that we publish them ourselves in a list of known vulnerabilities on our own website.

Security bug reports generally have a life cycle that allows users to avoid the added risk of publishing information about software bugs ahead of time, before the manufacturer has been able to create a patch and distribute it in good time to its users. In this process, the security breach remains in a waiting stage, where the manufacturer accepts the reported problem and agrees on a date to solve the problem. The security researcher waits patiently and makes the solution of the problem as easy as possible: providing more information, collaborating with the development team, even doing some additional testing when the patch is available. The point is to work as a team to improve the robustness of the software.

The e-mail box [email protected] is open to anyone with an interest in improving the security of our software.

Shares

Download the most comprehensive report on secure monitoring from IDG research