Search Guard CNA CVE

MITRE names Search Guard as a CVE Numbering Authority

by Fabian Michalsen on July 3, 2019

After last week’s announcement of our optimizations and brand-new features like Search Guard Signals (Insights & Alerting for Elasticsearch), we’re very proud to announce that floragunn GmbH has been named as a CVE numbering authority by MITRE for all issues related to Search Guard. We look forward to participating in and supporting the CVE project and ecosystem for the benefit of the security industry and our customers.

The Search Guard community, our customers and partners can always rely on our mission to provide the best security experience possible. We are very exited to announce that Search Guard is now part of the CNA program and can issue CVE identifiers for information-security vulnerabilities and their fixes.

Common Vulnerabilities and Exposures (CVE) is a list of entries containing an identification number, a description, and at least one public reference for publicly known cybersecurity vulnerabilities. CVE Entries are used in numerous cybersecurity products and services from around the world, including the U.S. National Vulnerability Database (NVD).

A CVE Numbering Authority (CNA) is an organization that can assign and announce CVE entries within a particular scope.

Becoming a CNA makes it possible for us to identify unique vulnerabilities within our products, publicly disclose vulnerabilities that have been newly identified, release vulnerability information without pre-publishing, and notify customers of vulnerabilities. This adds a new level of transparency and trust for our customers and users.

But let’s hear what our CTO Hendrik Saly has to say about this new milestone:

What does the participation in the program mean for Search Guard?

„Being in the CNA program (CVE Numbering Authority) for Search Guard allows us to assign CVE IDs for security issues directly and quickly.  It also ensures that potential issues found by others are carefully reviewed and rated by the vendor and that publication of an issue and fixing it can be properly aligned.“

What are the benefits for our customers?

„For our customers this means that security issues will be documented, published and distributed in a standardized way.“

Why is it important to be part of the CNA program?

„Software vendors which are not authorized to assign CVE IDs to their own products are not able to control the disclosure of vulnerability information without pre-publishing.“

Search Guard also participates in the CA Veracode Verified program that validates a company’s secure software development processes. With approximately 30 percent of all breaches occurring as a result of a vulnerability at the application layer, software purchasers are demanding more insight into the security of the software they are buying. CA Veracode Verified empowers us to demonstrate our commitment to creating secure software.

Image: shutterstock / vs148

Fabian MichalsenMITRE names Search Guard as a CVE Numbering Authority

Join the conversation