To better streamline our vulnerability disclosure process and promote transparency across the security of our products, we are pleased to announce that Devolutions has been authorized by the CVE Program as a CVE Numbering Authority (CNA).
About CNAs
CNAs are organizations from around the world that are responsible for assigning CVE IDs to vulnerabilities, and for publishing information about vulnerabilities in associated CVE Records. Each CNA has a specific scope of responsibility for vulnerability identification and publishing. Devolutions’ scope covers vulnerabilities related to Remote Desktop Manager and Devolutions Server products.
What Is CVE Record?
CVE is an international, community-based effort that relies on community members to discover and disclose vulnerabilities. Each vulnerability is assigned and published to the CVE List as a CVE Record. This enables the community to refer to the vulnerability in a standardized way, which results in significant time and cost savings. Earlier this year, we published our first security advisory batch of CVEs.
How Does This Impact Devolutions’ Customers?
Being a CNA allows Devolutions to work directly with security researchers to provide CVE IDs and ensure that reported vulnerabilities are published in a timely manner once a fix is available. The CNA Program is governed by strict rules that Devolutions and all other CNA Numbering Authorities must follow. Furthermore, to prevent potential abuse, security researchers have the right to dispute a vendor’s decision on a CVE assignment. Ultimately, this helps build trust with customers by enhancing transparency and security due diligence, while ensuring that appropriate and reliable information about vulnerabilities is made public.
Some Final Thoughts
As a consumer, I expect vendors to follow a similar path to protect their customers. I am therefore proud to be part of an organization that does not hesitate to provide transparency of its security practices to the whole world. Managing and communicating product vulnerabilities should be at the very core of every software vendor’s quality assurance. Becoming a partner in the CNA Program is a logical next step in this longstanding commitment.