News

Devolutions Is Now Officially a CVE Numbering Authority (CNA)

Devolutions is cve numbering authority cna blog
Martin Lemay

Martin Lemay, Chief Security Officer at Devolutions, plays a key leadership role in driving strong cyber security fundamentals and features across all of our products. Outside work you can catch him trying new restaurants or watching an episode of Walking Dead.

View more posts

To better streamline our vulnerability disclosure process and promote transparency across the security of our products, we are pleased to announce that Devolutions has been authorized by the CVE Program as a CVE Numbering Authority (CNA).

About CNAs

CNAs are organizations from around the world that are responsible for assigning CVE IDs to vulnerabilities, and for publishing information about vulnerabilities in associated CVE Records. Each CNA has a specific scope of responsibility for vulnerability identification and publishing. Devolutions’ scope covers vulnerabilities related to Remote Desktop Manager and Devolutions Server products.

What Is CVE Record?

CVE is an international, community-based effort that relies on community members to discover and disclose vulnerabilities. Each vulnerability is assigned and published to the CVE List as a CVE Record. This enables the community to refer to the vulnerability in a standardized way, which results in significant time and cost savings. Earlier this year, we published our first security advisory batch of CVEs.

How Does This Impact Devolutions’ Customers?

Being a CNA allows Devolutions to work directly with security researchers to provide CVE IDs and ensure that reported vulnerabilities are published in a timely manner once a fix is available. The CNA Program is governed by strict rules that Devolutions and all other CNA Numbering Authorities must follow. Furthermore, to prevent potential abuse, security researchers have the right to dispute a vendor’s decision on a CVE assignment. Ultimately, this helps build trust with customers by enhancing transparency and security due diligence, while ensuring that appropriate and reliable information about vulnerabilities is made public.

Some Final Thoughts

As a consumer, I expect vendors to follow a similar path to protect their customers. I am therefore proud to be part of an organization that does not hesitate to provide transparency of its security practices to the whole world. Managing and communicating product vulnerabilities should be at the very core of every software vendor’s quality assurance. Becoming a partner in the CNA Program is a logical next step in this longstanding commitment.

Related Posts

Read more News posts