Colleagues, The CVE Program is proud to announce that CISA<https://cve.mitre.rip/PartnerInformation/ListofPartners/partner/CISA> is the CVE Program’s first-ever CVE Authorized Data Publisher (ADP)<https://cve.mitre.rip/ProgramOrganization/ADPs>. As an ADP, CISA is authorized to enrich the content of CVE Records<https://cve.mitre.rip/ResourcesSupport/Glossary?activeTerm=glossaryRecord> published by CVE Numbering Authorities (CNAs)<https://cve.mitre.rip/ProgramOrganization/CNAs> with additional, related information (e.g., risk scores, references, vulnerability characteristics, translations, etc.). The ADP role focuses on adding informational elements to CVE Records within a specific scope that is approved by the CVE Board<https://cve.mitre.rip/ProgramOrganization/Board>. While an ADP is eligible to augment the information in CVE Records, the ADP cannot modify the data the CNA has published in their “CNA container.” Instead, all ADP updates to CVE Records will occur in a separate organizational “ADP container.” The intent of ADPs is to enrich and enhance the value of CVE Record information providing the vulnerability management community with additional, valuable information about a specific CVE Record. Learn more about how an organization can become an ADP here<https://cve.mitre.rip/ProgramOrganization/ADPs#apply>. Introducing the CISA ADP The CISA ADP is providing three components to enrich CVE Records:
1. Stakeholder-Specific Vulnerability Categorization (SSVC)<https://www.cisa.gov/stakeholder-specific-vulnerability-categorization-ssvc>. 2. Known Exploited Vulnerabilities (KEV)<https://www.cisa.gov/known-exploited-vulnerabilities-catalog> catalog data. 3. “Vulnrichment” updates (e.g., missing CVSS<https://www.first.org/cvss/'>, CWE<https://cve.mitre.rip/external/cwe.mitre.org/>, CPE<https://nvd.nist.gov/products/cpe> information for CVE Records that meet specific threat characteristics). CISA ADP Process The CISA ADP will provide a two-pass enrichment for new CVE Records as they are published, starting from February 2024. For every new CVE Record, the CISA ADP will publish the three relevant decision points in CISA’s SSVC triage process: Exploitation, Automatable, and Technical Impact. This is the first pass of enrichment which all new CVE Records will receive. For those CVE Records that score at least one of: * Technical Impact: Total * Automatable: Yes * Exploitation: Proof-Of-Concept, or * Exploitation: Active and are lacking one or more of CWE, CVSS, or CPE data, the CISA ADP will take a second pass of analysis to determine the missing CWE, CVSS, CPE metric, and add those metrics to the CISA ADP container on those CVE Records. Of these issues, in some rare cases, it may be impossible to confidently field a guess on CWE, CVSS, or CPE. In those cases, the CISA ADP will not venture such a guess. If a CNA Later Updates the CVE Record If a CNA later updates a CVE Record with their own CWE, CVSS, or CPE data, the CISA ADP will remove their assessed metrics for those specific elements from the updated CVE Record. This approach will reduce duplicate (and conflicting) data within the CVE Record. In the rare event that there is a CWE, CVSS, or CPE string provided by the originating CNA and the CISA ADP, the originating CNA’s data should take precedence for any decision making. Similarly, if a CVE Record is updated by the originating CNA to provide information that would impact the SSVC decision points, those SSVC decision points will be updated shortly thereafter by the CISA ADP. Comments or Concerns Please contact the CISA ADP on GitHub<https://github.com/cisagov/vulnrichment?tab=readme-ov-file#issues-and-pull-requests> regarding the content provided in their ADP container. Respectfully, CVE Program Secretariat cve-prog-secretar...@mitre.org<mailto:cve-prog-secretar...@mitre.org> [A picture containing text, clipart Description automatically generated]
