CVE is a program that is supposed to provide unique identifiers for vulnerabilities and as we will get to shortly, it also is a path for directing software vulnerability reports away from developers to at least one security company selling non-public information on vulnerabilities to any hackers willing to pay them.

The footer of the website for the CVE program claims that it is sponsored by the US Deparment of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA):

CVE is sponsored by the U.S. Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA)

The linked page for CISA doesn’t mention that sponsorship. We found a CISA press release on their website from two years ago that stated they sponsored CVE at the time, but there is a warning on that, which says that the page may contain “outdated information that may not reflect current policy or programs”

CISA describes itself this way:

The Cybersecurity and Infrastructure Security Agency (CISA) leads the national effort to understand, manage, and reduce risk to our cyber and physical infrastructure. We connect our stakeholders in industry and government to each other and to resources, analyses, and tools to help them build their own cyber, communications, and physical security and resilience, in turn helping to ensure a secure and resilient infrastructure for the American people.

We contacted CISA for comment on this story and our first question was if they are indeed the sponsors of CVE. They didn’t respond.

Information For Sale to Hackers

A month ago, we wrote about how the WordPress security company Wordfence had provided non-public information on vulnerabilities in a WordPress plugin from Oracle to anyone willing to pay for the Wordfence Premium service. What happened ran counter to their claimed responsible disclosure policy and seems problematic behavior from a security provider.

At the time, we didn’t know where that information originally came from, but at the end of last month that got filled in. Wordfence had not discovered the vulnerabilities themselves, but instead was reported to them through their partnership with CVE, which they describe this way on the page that was disclosed on:

Wordfence is authorized by the Common Vulnerabilities and Exposures (CVE®) Program as a CNA, or CVE Numbering Authority. As a CNA, Wordfence assigns CVE IDs for new vulnerabilities in WordPress Core, WordPress Plugins and WordPress Themes.

Assigned CVE IDs and the vulnerability details are published below. For more information about submitting vulnerabilities to Wordfence for CVE ID assignment, please refer to our vulnerability disclosure policy.

So you have CVE in part, causing a vulnerability to be reported to a third-party security provider instead of the developer, Oracle. That seems like a big problem. We asked CISA about that:

We are wondering if CISA is aware that the CVE Numbering Authorities program is being used by security companies to gain access to information on non-public vulnerabilities like this, which they, as this situation shows, have the ability to then sell to malicious actors? If so, what is the intended purpose of that? If not, is CISA going to take action to change how that is handled?

There was no response to that.

CNA Program Not Working as Advertised

Another problem here is that Oracle is also a CVE Numbering Authority (CNA) and they are supposed to be the one issuing CVE IDs for their software, but that didn’t happen here. We previously noted an instance where that occurred with a CVE for software from Microsoft that we happened across, so it likely is occurring on a wider scale. So the CVE’s CNA program isn’t working as advertised and CVE doesn’t provide a reporting mechanism to report problems with the CNAs. We also asked CISA about that:

So our final questions are, what oversight, if any, does CISA do of their sponsorship of CVE to ensure it is enforcing its own stated policies and is there a method for the public to report to CISA problems with the CVE program?

As with the other questions asked, there was no response.

Unresponsive Security Infrastructure

It seems to run counter to CISA’s focus to be funding the CVE program as it is working now, but there doesn’t appear to be a method for this to be addressed if CVE and CISA simply refuse to provide a mechanism to report issues and for those to then be addressed.