Vulnerabilities / Threats //

Vulnerability Management

12/22/2016
03:00 PM
Dark Reading
Dark Reading
Products and Releases
50%
50%

Rapid7 Named Common Vulnerability and Exposure Numbering Authority

Boston, MA — December 20, 2016 -- Rapid7, Inc. (NASDAQ: RPD), a leading provider of IT and security analytics solutions, today announced that the Company has been designated as a Common Vulnerability and Exposures (CVE) Numbering Authority (CNA), effective immediately. Rapid7 will now be able to assign CVE numbers to vulnerabilities found in Rapid7’s and any other vendors’ products, whether they are disclosed by Rapid7 or third party researchers. CVEs assigned by Rapid7 will be added to the CVE list, an enumeration of information security vulnerabilities and exposures that provides a singular way of identifying publicly known cybersecurity issues.

The goal of CVE is to make it easier to share data across separate vulnerability tools, repositories, and services with standardized identifiers for given vulnerabilities or exposures. The common identifiers allow users to quickly and accurately access information about a problem across multiple information sources that are CVE-compatible. The MITRE Corporation (MITRE) manages and maintains the CVE List with assistance from the CVE Board. MITRE is a not-for-profit operator of seven federally funded research and development centers, and their mission is to work in the public interest. Their unique role allows them to provide an objective perspective with regard to disclosed vulnerabilities.

“We are honored to become a CNA and look forward to collaborating with MITRE, who have impressed us with their efforts to evolve the CVE program to meet ever-increasing needs,” said Corey Thomas, president and CEO at Rapid7. “Our support of reasonable disclosure practices is driven by our deep-seated commitment to supporting and empowering the community. Our goal is twofold: help improve and mature the security practices of vendors and manufacturers, while educating users on risk, so they can make informed decisions.”

Rapid7 has an established record of coordinated and reasonable disclosure practices, and has been a strong supporter of free and open security research through its open source efforts, including Metasploit Framework. As a provider of security software, services, and research, the Company takes security issues very seriously and recognizes the importance of privacy, security, and community outreach. In 2016 alone, Rapid7 coordinated with more than 25 vendors on vulnerability disclosures discovered by its researchers. These efforts are driven by a belief that security is a communal challenge and will only be meaningfully addressed through active collaboration. As such, the Company is committed to openly facilitating the sharing of security information that helps customers and the broader community learn, grow, and develop new security capabilities.

As a CNA, Rapid7 will assign CVE numbers to describe vulnerabilities identified in software products, once they are acknowledged by the affected vendors, in accordance with the rules and practices set forth by the CVE Board. More information about specific CVE guidelines can be found here: https://cve.mitre.org/cve/cna/CNA_Rules_v1.1.pdf.

For more information about Rapid7, please visit: https://www.rapid7.com/


About Rapid7

With Rapid7, technology professionals gain the clarity, command, and confidence to safely drive innovation and protect against risk. We make it simple to collect operational data across systems, eliminating blind spots and unlocking the information required to securely develop, operate, and manage today’s sophisticated applications and services. Our analytics and science transform your data into key insights so you can quickly predict, deter, detect, and remediate attacks and obstacles to productivity. Armed with Rapid7, technology professionals finally gain the insights needed to safely move their business forward. Rapid7 is trusted by more than 5,800 organizations across over 110 countries, including 37% of the Fortune 1000. To learn more about Rapid7 or get involved in our threat research, visit www.rapid7.com

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
5 Reasons the Cybersecurity Labor Shortfall Won't End Soon
Steve Morgan, Founder & CEO, Cybersecurity Ventures,  12/11/2017
Oracle Product Rollout Underscores Need for Trust in the Cloud
Kelly Sheridan, Associate Editor, Dark Reading,  12/11/2017
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Gee, these virtual reality goggles work great!!! 
Current Issue
The Year in Security: 2017
A look at the biggest news stories (so far) of 2017 that shaped the cybersecurity landscape -- from Russian hacking, ransomware's coming-out party, and voting machine vulnerabilities to the massive data breach of credit-monitoring firm Equifax.
Flash Poll
The State of Ransomware
The State of Ransomware
Ransomware has become one of the most prevalent new cybersecurity threats faced by today's enterprises. This new report from Dark Reading includes feedback from IT and IT security professionals about their organization's ransomware experiences, defense plans, and malware challenges. Find out what they had to say!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.