Censys is pleased to announce that we are officially a CVE Numbering Authority (CNA). As part of the CVE program, Censys plans on issuing CVE identifiers for security issues discovered and reported from our research team, as well as any issues discovered in our non-SaaS software components. CVE is an international, community-based effort and relies on its network to discover vulnerabilities. The vulnerabilities are discovered, then assigned, and published to the CVE List. We are proud to stand alongside organizations such as Microsoft, Adobe, Apple, Google, Cisco, Rapid7, and others who participate as CNAs.
Alongside our CNA membership, we are also formally announcing our Responsible Vulnerability Disclosure Program (often referred to using the acronym VDP). The responsible disclosure steps in our program are outlined on our website, copied below for reference:
- Censys will keep any communication confidential regarding the vulnerability until the completion of the disclosure process.
- Censys will attempt to contact the appropriate product vendor by email.
- Censys will provide the vulnerability details to the vendor.
- If further coordination is required, Censys will send a notification to CERT/CC within 15 days after the first attempt at contacting the vendor.
- Censys will prepare and publish an advisory detailing the vulnerability at least 60 days (maximum of 90) after initial attempts at disclosure at stage #2 above, barring extenuating circumstances. This advisory will be made available to the general public via Censys’ blog and social media. Depending on the impact, Censys may coordinate with interested parties in the media.
Stay tuned for more information on vulnerabilities Censys research has discovered throughout the year. To learn more about Censys research and view some of our past analyses on vulnerabilities, their impact on organizations, and global cybersecurity health at large, visit https://censys.io/blog/.
