Vdoo Joins the CVE Program as a CNA to Help Track and Mitigate Device Security Vulnerabilities

Asaf Karas  August 10, 2020

We are happy to announce that Vdoo is joining the Common Vulnerabilities and Exposures (CVE) Program as a registered CVE Numbering Authority (CNA). CNAs are companies and organizations that create CVE Entries, the de facto international standard for identifying and naming cyber security vulnerabilities. The program helps establish a common language which security researchers and vendors can use to describe, publish and resolve security vulnerabilities. As a CNA, Vdoo will be able to streamline its CVE assignment process and publish more security research in coordination with its partner vendors.

Vdoo can help external researchers who are looking to contact us regarding security issues found in the products of embedded device vendors, as well as in our own automated SaaS platform. In the former cases, we can help coordinate with the vendor and arrange the publication of CVE Entries on the official CVE Program and NIST websites. Interested researchers are invited to contact us through our disclosure page.

Since Vdoo was established, more than 300 zero-day vulnerabilities have been discovered in embedded products using the Vdoo platform, and we have publicly released over 25 CVEs in full coordination with the relevant vendors and OSS maintainers. Our entry into the CVE program is a significant step that reinforces our ongoing commitment to ensuring the security of connected devices.

The number of security vulnerabilities in connected devices has been growing steadily over the past few years, and this has become a problem for manufacturers, vendors and operators across all verticals including industrial, medical, automotive and more. The CNA program is one of the main ways in which companies in this market can help track and mitigate vulnerabilities using a common language that crosses geographies and verticals.

“Adding Vdoo to the international CVE Numbering Authorities is significant in that embedded devices often provide hidden exposures that buyers unknowingly deploy in consumer products, business environments, and even national security systems. Vdoo helps the CVE program identify and track new vulnerabilities in the billions of IoT devices already deployed with billions more coming. Welcome to the CVE team!” - Scott Lawler, CEO LP3 and CVE Board Member

About the CVE Program

The CVE Program is the de facto international standard for identifying and naming cyber security vulnerabilities. CVE is an international, community-based effort that maintains a community-driven, open data registry of vulnerabilities. The CVE IDs assigned through the registry enable program stakeholders to rapidly discover and correlate vulnerability information used to protect systems against attacks. The CVE List is built by CVE Numbering Authorities (CNAs) that assign every CVE Entry added to the list which feeds the U.S. National Vulnerability Database (NVD).

Share this post
Asaf Karas-co-founder and CTO

Asaf Karas

Co-founder and CTO

Asaf is a co-founder and the CTO of Vdoo. Before joining Vdoo, Asaf spent almost 15 years leading security research at the Israeli Defense Forces. There, he specialized in areas such as reverse engineering, device debugging, network forensics, malware analysis, big data and anomaly detection, and, as a branch leader, managed a team of over 100 cyber specialists.

Our latest updates