In this episode — recorded live at “CVE/FIRST VulnCon 2024” — CVE Board member and CVE podcast host Shannon Sabens of CrowdStrike chats with the three newest CVE Board members: Madison Oliver of GitHub Security Lab, Tod Beardsley of Austin Hackers Anonymous (AHA!), and MegaZone of F5 who joins as the new CVE Numbering Authority (CNA) Liaison to the…

Host Shannon Sabens speaks with Art Manion and Kent Landfield, all three of whom are CVE Board members and CVE Working Group (WG) chairs, about CVE Records. Discussion topics include the CVE Record Lifecycle, the three “states” of CVE Records (RESERVED, PUBLISHED, and REJECTED), the current “tags” in use with CVE Records (EXCLUSIVELY-HOSTED-SERVICE…

Learn how CVE Numbering Authority (CNA) partners—ranging from large to small organizations, proprietary and open-source products or projects, disparate business sectors, and different geographic locations—are overseen and supported within the CVE Program by “Top-Level Roots” and “Roots.” Topics include the roles and responsibilities of the two diff…

Shannon Sabens of CrowdStrike and Kent Landfield of Trellix, both of whom are CVE Board members and CVE Working Group chairs, speak about how the new CVE Record format — with its new structured data format and optional information fields — will benefit and provide enhanced value to consumers of CVE content moving forward. Specific topics discussed …

Host Shannon Sabens of CrowdStrike chats with Julia Turkevich of the U.S. Cybersecurity and Infrastructure Security Agency (CISA) about the myths and facts of partnering with the CVE Program as a CVE Numbering Authority (CNA). Truth and facts about the following myths are discussed: Myth #1: Only a specific category of software vendors can become C…

Kris Britton of the CVE Program speaks with Lisa Olson of Microsoft about Microsoft’s journey adopting the new CVE Services and CVE JSON 5.0 into their vulnerability management infrastructure and how they used them for the first time as part of Microsoft’s February 2023 Patch Tuesday. Discussion topics include the CVE JSON 5.0 schema mind map and o…

Shannon Sabens of CrowdStrike chats with Madison Oliver of GitHub Security Lab about the recent release of OpenSSF’s “Guidance for Security Researchers to Coordinate Vulnerability Disclosures with Open Source Software Projects” document and the important step of obtaining a CVE ID in the coordinated vulnerability disclosure process for open-source …

Host Shannon Sabens of CrowdStrike chats with Tod Beardsley of Rapid7, who is the chair of the CVE Program's CNA Coordination Working Group (CNACWG), about the CNACWG’s "CNA Mentoring Program." Topics discussed include how CVE is a community, how the mentoring program is as little or as much work as you’d like it to be, the many ways in which mento…

Shannon Sabens of CrowdStrike and Tod Beardsley of Rapid7, both of whom are CVE Board members and CVE Working Group chairs, chat about the CVE Program from their insider’s perspectives. Topics include the value of a federated program of CVE Numbering Authorities (CNAs) from around the world for increased assignment of CVE Records; the upside and mi…

Shannon Sabens of CrowdStrike chats with Madison Oliver of GitHub Security Lab about how and why CVEs are assigned, the value of CVEs in vulnerability management, responsible coordination of vulnerability disclosures, the importance of comprehensiveness in security advisories, and why there is no stigma in a CVE. CVE Numbering Authority (CNA) scope…

Shannon Sabens of CrowdStrike and Milind Kulkarni of a NVIDIA discuss what security researchers should expect when reporting vulnerabilities to a Product Security Incident Response Team (PSIRT); how to best to collaborate with them; how to interpret responses from the PSIRT; how to get the best outcome when making a report; supported versus end-of-…

Kent Landfield of McAfee and Art Manion of CERT/CC discuss how the CVE Program’s upcoming release of JSON 5.0 will allow for additional and related information to be added to CVE Records after they have been published by CVE Numbering Authorities (CNAs). These additions — such as risk scores, affected product lists, versions, references, translatio…

Shannon Sabens of CrowdStrike chats with Peter Allor, Fábio Olivé, and Martin Prpic of Red Hat, which is a long-time CVE Numbering Authority (CNA). The benefits of actively participating as a member of the CVE community are discussed, especially in the CVE Working Groups, which allows Red Hat to directly contribute to enhancing CVE automation and q…

Episode 9 – Three CVE Board members provide the truth and facts about the following myths about the CVE Program: Myth #1: The CVE Program is run entirely by the MITRE Corporation Myth #2: The CVE Program is controlled by software vendors Myth #3: The CVE Program doesn’t cover enough types of vulnerabilities Myth #4: The CVE Program is responsible f…

Our eighth episode is all about how community members actively engage in the six CVE Working Groups (WGs) to help improve quality, automation, processes, and other aspects of the CVE Program as it continues to grow and expand. The chairs and co-chairs of each WG, each of whom is an active member of the CVE community, chat about their WG’s overall m…

Episode 4 – Kelly Todd of the CVE Program interviews security researcher Larry Cashdollar about how he got started researching vulnerabilities and his experiences over the years, how he became the CVE Program’s first-ever independent vulnerability researcher CVE Numbering Authority (CNA), best practices, and the benefits of being able to assign his…

Episode 3 - Shannon Sabens of CrowdStrike speaks with Jo Bazar of the CVE Program, Erin Alexander of CISA ICS, and Tomo Itou of JPCERT/CC about the structure and objectives of the CVE Numbering Authority (CNA) program, what it means to be a Root and a CNA, the benefits of partnering with the CVE Program, and recommendations for organizations consid…

Episode 2 - Chris Sandulow, Boris Sieklik, and Lena Smart from MongoDB discuss their internal processes for managing CVEs, the importance of CVSS scoring to their customers, the benefits experienced from partnering with the CVE Program as a CVE Numbering Authority (CNA), and recommendations for other organizations considering becoming a CNA.…