Vulnerabilities / Threats //

Vulnerability Management

12/22/2016
03:00 PM
Dark Reading
Dark Reading
Products and Releases
50%
50%

Rapid7 Named Common Vulnerability and Exposure Numbering Authority

Boston, MA — December 20, 2016 -- Rapid7, Inc. (NASDAQ: RPD), a leading provider of IT and security analytics solutions, today announced that the Company has been designated as a Common Vulnerability and Exposures (CVE) Numbering Authority (CNA), effective immediately. Rapid7 will now be able to assign CVE numbers to vulnerabilities found in Rapid7’s and any other vendors’ products, whether they are disclosed by Rapid7 or third party researchers. CVEs assigned by Rapid7 will be added to the CVE list, an enumeration of information security vulnerabilities and exposures that provides a singular way of identifying publicly known cybersecurity issues.

The goal of CVE is to make it easier to share data across separate vulnerability tools, repositories, and services with standardized identifiers for given vulnerabilities or exposures. The common identifiers allow users to quickly and accurately access information about a problem across multiple information sources that are CVE-compatible. The MITRE Corporation (MITRE) manages and maintains the CVE List with assistance from the CVE Board. MITRE is a not-for-profit operator of seven federally funded research and development centers, and their mission is to work in the public interest. Their unique role allows them to provide an objective perspective with regard to disclosed vulnerabilities.

“We are honored to become a CNA and look forward to collaborating with MITRE, who have impressed us with their efforts to evolve the CVE program to meet ever-increasing needs,” said Corey Thomas, president and CEO at Rapid7. “Our support of reasonable disclosure practices is driven by our deep-seated commitment to supporting and empowering the community. Our goal is twofold: help improve and mature the security practices of vendors and manufacturers, while educating users on risk, so they can make informed decisions.”

Rapid7 has an established record of coordinated and reasonable disclosure practices, and has been a strong supporter of free and open security research through its open source efforts, including Metasploit Framework. As a provider of security software, services, and research, the Company takes security issues very seriously and recognizes the importance of privacy, security, and community outreach. In 2016 alone, Rapid7 coordinated with more than 25 vendors on vulnerability disclosures discovered by its researchers. These efforts are driven by a belief that security is a communal challenge and will only be meaningfully addressed through active collaboration. As such, the Company is committed to openly facilitating the sharing of security information that helps customers and the broader community learn, grow, and develop new security capabilities.

As a CNA, Rapid7 will assign CVE numbers to describe vulnerabilities identified in software products, once they are acknowledged by the affected vendors, in accordance with the rules and practices set forth by the CVE Board. More information about specific CVE guidelines can be found here: https://cve.mitre.org/cve/cna/CNA_Rules_v1.1.pdf.

For more information about Rapid7, please visit: https://www.rapid7.com/


About Rapid7

With Rapid7, technology professionals gain the clarity, command, and confidence to safely drive innovation and protect against risk. We make it simple to collect operational data across systems, eliminating blind spots and unlocking the information required to securely develop, operate, and manage today’s sophisticated applications and services. Our analytics and science transform your data into key insights so you can quickly predict, deter, detect, and remediate attacks and obstacles to productivity. Armed with Rapid7, technology professionals finally gain the insights needed to safely move their business forward. Rapid7 is trusted by more than 5,800 organizations across over 110 countries, including 37% of the Fortune 1000. To learn more about Rapid7 or get involved in our threat research, visit www.rapid7.com

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Valentine's Emails Laced with Gandcrab Ransomware
Kelly Sheridan, Staff Editor, Dark Reading,  2/14/2019
High Stress Levels Impacting CISOs Physically, Mentally
Jai Vijayan, Freelance writer,  2/14/2019
Mozilla, Internet Society and Others Pressure Retailers to Demand Secure IoT Products
Curtis Franklin Jr., Senior Editor at Dark Reading,  2/14/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
The State of Ransomware
The State of Ransomware
Ransomware has become one of the most prevalent new cybersecurity threats faced by today's enterprises. This new report from Dark Reading includes feedback from IT and IT security professionals about their organization's ransomware experiences, defense plans, and malware challenges. Find out what they had to say!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-8903
PUBLISHED: 2019-02-18
index.js in Total.js Platform before 3.2.3 allows path traversal.
CVE-2019-6453
PUBLISHED: 2019-02-18
mIRC before 7.55 allows remote command execution by using argument injection through custom URI protocol handlers. The attacker can specify an irc:// URI that loads an arbitrary .ini file from a UNC share pathname. Exploitation depends on browser-specific URI handling (Chrome is not exploitable).
CVE-2019-8372
PUBLISHED: 2019-02-18
The LHA.sys driver before 1.1.1811.2101 in LG Device Manager exposes functionality that allows low-privileged users to read and write arbitrary physical memory via specially crafted IOCTL requests and elevate system privileges. This occurs because the device object has an associated symbolic link an...
CVE-2019-8902
PUBLISHED: 2019-02-18
An issue was discovered in idreamsoft iCMS through 7.0.14. A CSRF vulnerability can delete users' articles via the public/api.php?app=user URI.
CVE-2019-8423
PUBLISHED: 2019-02-18
ZoneMinder through 1.32.3 has SQL Injection via the skins/classic/views/events.php filter[Query][terms][0][cnj] parameter.