NEC, Started activities as CVE Numbering Authority(CNA)
3, June, 2021
NEC is pleased to announce that we have become a CVE Numbering Authority (CNA*1), one of the few CVE (Common Vulnerabilities and Exposures) numbering authorities in Japan. This enables us to assign identifiers (CVE IDs*2) to vulnerabilities that are discovered internaly or reported from outside the company, which will further speed up the vulnerability response of our products and services.
In recent years, the number of reported vulnerabilities has been increasing drastically, and the number of vulnerability information registered in the CVE List in 2020 was over 17,000. In order to respond to the new vulnerabilities that are discovered every day, accurate and prompt identification and disclosure of vulnerability information is expected.
NEC groups established the PSIRT*3 in July 2002 and have been participating in the Information Security Early Warning Partnership*4 since its inception. We have been working to respond to vulnerabilities that affect our products by collecting vulnerability information, investigating the impact, preparing countermeasures in cooperation with our own product and service development departments, and disclosing information to our customers and related organizations/companies.
Now that our longstanding vulnerability response activities have taken root, we have decided to become a CNA, coupled with a recommendation from Japan Computer Emergency Response Team Coordination Center (JPCERT/CC*5), a Root CNA*6, to further expand our international activities.
Through our activities as a CNA, NEC groups will continue to contribute to the realization of a safe and secure society by identifying new vulnerabilities and promptly responding to them.
In addition, we have received an endorsement from JPCERT/CC for this announcement.
“Welcome to the CNA community. We are very pleased to have a new partner who shares the common views on CNA activities and the importance of CVD (Coordinated Vulnerability Disclosure). Further growth of NEC PSIRT activities equipped with CNA functions is expected. It is our pleasure to challenge and work together with NEC on effective vulnerability disclosures." (JPCERT/CC)
- *1:An organization responsible for the regular assignment of CVE IDs to vulnerabilities, and for creating and publishing information about the Vulnerability in the associated CVE Record. Each CNA has a specific Scope of responsibility for vulnerability identification and publishing.
- *2:A unique, alphanumeric identifier assigned by the CVE Program. Each identifier references a specific vulnerability. A CVE ID enables automation and multiple parties to discuss, share, and correlate information about a specific vulnerability, knowing they are referring to the same thing.
- *3:Abbreviation for Product Security Incident Response Team. A function in an organization that responds to risks arising from vulnerabilities in the products and services provided to customers.
- *4:Public-private partnership for smooth distribution of vulnerability-related information on software products and web applications, and dissemination of countermeasures.
- *5:JPCERT/CC is the first CSIRT (Computer Security Incident Response Team) established in Japan. The organization coordinates with network service providers, security vendors, government agencies, as well as the industry associations. As such, it acts as a "CSIRT of CSIRTs" in the Japanese community.
- *6:As of May 2021, there are three Root organizations, MITRE, CISA ICS, and JPCERT/CC, that recruit, invite, train, and manage CNAs.
Related security blog (in Japanese):
Inquiries regarding this matter, please contact:
NEC Cyber Security Strategy Division