Recently we made the first major security release in several years, which also coincided with the clarification of processes and workflows the Security Team will follow should another vulnerability arise in the future.
Part of this process was to become a CVE Numbering Authority (CNA) so that we can be the single source of truth for dealing with the publishing of information relating to vulnerabilities in Mautic and officially supported plugins.
The CVE Program has today authorized Mautic as a CVE Numbering Authority (CNA).
What is a CVE?
External to our project, the Common Vulnerabilities and Exposures (CVE®) Program assigns a unique identifier to each vulnerability discovered across any participating project. This enables two or more people or tools to refer to a vulnerability and know they are talking about the same thing, resulting in significant time and cost savings.
The Common Vulnerabilities and Exposures (CVE®) Program is an international, community-based effort and relies on the community to discover vulnerabilities. The vulnerabilities are discovered, then assigned and published to the CVE List .
What is a CNA?
CNAs are organizations responsible for the regular assignment of CVE IDs to vulnerabilities, and for creating and publishing information about the Vulnerability in the associated CVE Record. Each CNA has a specific Scope of responsibility for vulnerability identification and publishing.
Within the framework of the CNA program, the Mautic Security Team can now assign CVE numbers to newly identified vulnerabilities and publicly disclose information on these vulnerabilities. The scope of this authority includes Mautic Core and officially supported plugins not covered by another CNA.
What does this mean for Mautic?
Becoming a CNA means that if anybody discovers a vulnerability with Mautic or any of the officially supported plugins, they will have to report it to the Mautic Security Team in order to be granted a CVE ID.
Previously, a report could be made to the CVE Program without involving the Mautic Security Team, which could lead to vulnerabilities being published before a fix is made available or the team even being aware of the vulnerability.
How do I report a vulnerability?
We have detailed guidelines which you can review here: https://www.mautic.org/mautic-security-team/how-to-report-a-security-issue
Who can I contact for more information?
Please reach out to firstname.lastname@example.org in the first instance.This is a companion discussion topic for the original entry at https://www.mautic.org/blog/community/mautic-authorized-cve-numbering-authority-cna