After completing several stages to strengthen security procedures, Zabbix proudly announces that it has joined the CVE Program to assign CVE IDs to vulnerabilities affecting Zabbix products and projects.
The CVE program is the de facto international standard for identifying and naming cyber security vulnerabilities. The Common Vulnerabilities and Exposures (CVE®) Program’s primary purpose is to uniquely identify vulnerabilities and to associate specific versions of code bases (e.g., software and shared libraries) to those vulnerabilities – as stated on CVE Program website.
CVE Numbering Authorities (CNAs) are organizations from around the world that are authorized to assign CVE IDs to vulnerabilities affecting products within their distinct, agreed-upon scope, for inclusion in first-time public announcements of new vulnerabilities. These CVE IDs are provided to researchers, vulnerability disclosers, and information technology vendors.
Zabbix as an information technology vendor providing network infrastructure monitoring software has become a CNA for information-security vulnerabilities for Zabbix only.
Zabbix assures the best security experience possible for its customers, users and partners. We are very excited to announce that Zabbix is now part of the CNA program and can issue CVE identifiers for information-security vulnerabilities and their fixes.
Participation in CVE is a voluntary gesture. Zabbix as a monitoring software sees this as an ability to strengthen our monitoring software and the ability to control the disclosure of vulnerability information.
How Zabbix users and customers benefit from this?
One of the main purposes for Zabbix to partner with the CVE Program is to oversee vulnerability management practices to our customers. This is also our commitment to cybersecurity to current and potential customers. Becoming a CNA also guarantees that we can deliver value-added vulnerability information to our customers.
And by becoming CNA we are completing our security policy that strengthens our ability to better cope with vulnerability aspects.
About CVE program
The CVE Program relies on the community (vendors, end-users, researchers, and more) to discover and register vulnerabilities. The CVE Board, which drives the direction of the CVE Program, consists of industry, academic, and government representatives from around the world. The CVE Program is sponsored by the Cybersecurity and Infrastructure Security Agency (CISA, https://www.cisa.gov/of the U.S. Department of Homeland Security (DHS) and is operated by the MITRE Corporation in close collaboration with international industry, academic, and government stakeholders.
Read the official announcement from CVE Program.