Vulnerabilities / Threats // Vulnerability Management
12/22/2016
03:00 PM
Dark Reading
Dark Reading
Products and Releases
50%
50%

Rapid7 Named Common Vulnerability and Exposure Numbering Authority

Boston, MA — December 20, 2016 -- Rapid7, Inc. (NASDAQ: RPD), a leading provider of IT and security analytics solutions, today announced that the Company has been designated as a Common Vulnerability and Exposures (CVE) Numbering Authority (CNA), effective immediately. Rapid7 will now be able to assign CVE numbers to vulnerabilities found in Rapid7’s and any other vendors’ products, whether they are disclosed by Rapid7 or third party researchers. CVEs assigned by Rapid7 will be added to the CVE list, an enumeration of information security vulnerabilities and exposures that provides a singular way of identifying publicly known cybersecurity issues.

The goal of CVE is to make it easier to share data across separate vulnerability tools, repositories, and services with standardized identifiers for given vulnerabilities or exposures. The common identifiers allow users to quickly and accurately access information about a problem across multiple information sources that are CVE-compatible. The MITRE Corporation (MITRE) manages and maintains the CVE List with assistance from the CVE Board. MITRE is a not-for-profit operator of seven federally funded research and development centers, and their mission is to work in the public interest. Their unique role allows them to provide an objective perspective with regard to disclosed vulnerabilities.

“We are honored to become a CNA and look forward to collaborating with MITRE, who have impressed us with their efforts to evolve the CVE program to meet ever-increasing needs,” said Corey Thomas, president and CEO at Rapid7. “Our support of reasonable disclosure practices is driven by our deep-seated commitment to supporting and empowering the community. Our goal is twofold: help improve and mature the security practices of vendors and manufacturers, while educating users on risk, so they can make informed decisions.”

Rapid7 has an established record of coordinated and reasonable disclosure practices, and has been a strong supporter of free and open security research through its open source efforts, including Metasploit Framework. As a provider of security software, services, and research, the Company takes security issues very seriously and recognizes the importance of privacy, security, and community outreach. In 2016 alone, Rapid7 coordinated with more than 25 vendors on vulnerability disclosures discovered by its researchers. These efforts are driven by a belief that security is a communal challenge and will only be meaningfully addressed through active collaboration. As such, the Company is committed to openly facilitating the sharing of security information that helps customers and the broader community learn, grow, and develop new security capabilities.

As a CNA, Rapid7 will assign CVE numbers to describe vulnerabilities identified in software products, once they are acknowledged by the affected vendors, in accordance with the rules and practices set forth by the CVE Board. More information about specific CVE guidelines can be found here: https://cve.mitre.org/cve/cna/CNA_Rules_v1.1.pdf.

For more information about Rapid7, please visit: https://www.rapid7.com/


About Rapid7

With Rapid7, technology professionals gain the clarity, command, and confidence to safely drive innovation and protect against risk. We make it simple to collect operational data across systems, eliminating blind spots and unlocking the information required to securely develop, operate, and manage today’s sophisticated applications and services. Our analytics and science transform your data into key insights so you can quickly predict, deter, detect, and remediate attacks and obstacles to productivity. Armed with Rapid7, technology professionals finally gain the insights needed to safely move their business forward. Rapid7 is trusted by more than 5,800 organizations across over 110 countries, including 37% of the Fortune 1000. To learn more about Rapid7 or get involved in our threat research, visit www.rapid7.com

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
5 Security Technologies to Watch in 2017
Emerging tools and services promise to make a difference this year. Are they on your company's list?
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7445
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

CVE-2015-4948
Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

CVE-2015-5660
Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

CVE-2015-6003
Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

CVE-2015-6333
Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.