Table of contents

Title

Table of content

Title



Blog

Opinions

CNAs intelligence: A hacker's view of the performance of researcher CNAs

Andres Roldan

VP of Hacking

Updated

May 12, 2023



6 min

On June 2, 2021, Fluid Attacks was admitted as a CNA by MITRE. A CVE Numbering Authority, or CNA, is responsible for assigning CVE IDs to vulnerabilities found in software. MITRE grants the CNA the right to determine whether certain issue can be considered a vulnerability. That means that as a CNA it's at our discretion whether to flag an issue as a vulnerability based on whether there's a violation of the security policy of the application, whether there's any negative impact on the product, and the analysis of the product owner regarding the issue.

The other variable in the responsibility of CNAs is the chosen software. MITRE limits the scope of CVE ID assignment to software that is licensable and publicly available, either paid or free. Also, each CNA has a scope. Some CNAs assign CVE IDs only to their own products (Microsoft, Apple, Adobe, for example). Our scope is any software that is not within the scope of other CNAs, which means that we can't assign CVE IDs to products from Microsoft, for example, but still, the universe of software is huge.

Having the ability to assign CVE IDs, our research team has created a Disclosure Policy, which we follow to talk to a vendor privately once we have identified a possible vulnerability in their software. In an ideal world, the vendor would acknowledge the vulnerabilities, create fixes and inform us of this within a defined period of time, after which we make the vulnerability public in our Advisories page. More information on our disclosure process is detailed here.

To this date, we have assigned 76 CVE IDs and want to check our performance with similar CNAs. Let's first see the process of gathering the information.

Gathering the data

As mentioned before, every CNA has a defined scope, but there is additional metadata associated to the CNAs.

MITRE provides certain ways to interact with their information. Red Hat created a tool which can be used to check basic information of the CNA, reserve CVE IDs and list the IDs published and reserved, among other tasks.

But it is limited only to the current CNA, which is identified using certain secret parameters.

Other information can be seen on the CVE Program's List of Partners.

As can be seen, Fluid Attacks' organization type is Researcher. To check our performance with other Researcher CNAs, we must first filter what other CNAs have the same type. A CNA can have multiple types:

Airbus, for example, is both a Vendor and a Researcher, and its scope includes Airbus products as well as third-party software.

However, we just want to check CNAs that have only the type Researcher, just like us.

That List of Partners has a filter field but it's not very advanced. But if we use simple tools, we see that the List of Partners page is actually a client-side application bundled into a JS file:

That JS script has actually little code, but has embedded a JSON with all the CNAs information:

With some simple filters, the JSON can be extracted from the JS:

aroldan ~ $ curl -s https://www.cve.org/js/app.3611fa3b.js | grep -Eo 'g=JSON.parse\(.*\);r.Z.use' | sed -e "s/g=JSON\.parse('//g; s/');r.Z.use//g; s/<a href=\\\'//g; s/\\\' target=\\\'_blank\\\'>//g; s/\\\'//g" | json_pp
[
   {
      "CNA" : {
         "TLR" : {
            "organizationName" : "MITRE Corporation",
            "shortName" : "mitre"
         },
         "isRoot" : false,
         "roles" : [
            {
               "helpText" : "",
               "role" : "CNA"
            }
         ],
         "root" : {
            "organizationName" : "n/a",
            "shortName" : "n/a"
         },
         "type" : [
            "Vendor"
         ]
      },
      "cnaID" : "CNA-2009-0001",
      "contact" : [
         {
            "contact" : [
               {
                  "label" : "Adobe security contact page",
                  "url" : "https://helpx.adobe.com/security/alertus.html"
               }
            ],
...

And with the extracted JSON, queries can be made directly. First, let's list the number of CNAs:

aroldan ~ $ curl -s https://www.cve.org/js/app.3611fa3b.js | grep -Eo 'g=JSON.parse\(.*\);r.Z.use' | sed -e "s/g=JSON\.parse('//g; s/');r.Z.use//g; s/<a href=\\\'//g; s/\\\' target=\\\'_blank\\\'>//g; s/\\\'//g" | json_pp | jq -c '.[]' | wc -l
     288
aroldan ~  $

Nice. To the date of this writing, there are 288 CNAs active.

As we can search now with any filter, let's check Fluid Attacks' CNA metadata:

aroldan ~ $ curl -s https://www.cve.org/js/app.3611fa3b.js | grep -Eo 'g=JSON.parse\(.*\);r.Z.use' | sed -e "s/g=JSON\.parse('//g; s/');r.Z.use//g; s/<a href=\\\'//g; s/\\\' target=\\\'_blank\\\'>//g; s/\\\'//g" | json_pp | jq '.[] | select (.organizationName == "Fluid Attacks")'
{
  "CNA": {
    "TLR": {
      "organizationName": "MITRE Corporation",
      "shortName": "mitre"
    },
    "isRoot": false,
    "roles": [
      {
        "helpText": "",
        "role": "CNA"
      }
    ],
    "root": {
      "organizationName": "n/a",
      "shortName": "n/a"
    },
    "type": [
      "Researcher"
    ]
  },
  "cnaID": "CNA-2021-0020",
  "contact": [
    {
      "contact": [],
      "email": [
        {
          "emailAddr": "help@fluidattacks.com",
          "label": "Email"
        }
      ],
      "form": []
    }
  ],
  "country": "Colombia",
  "disclosurePolicy": [
    {
      "label": "Policy",
      "language": "",
      "url": "https://fluidattacks.com/advisories/policy/"
    }
  ],
  "organizationName": "Fluid Attacks",
  "resources": [],
  "scope": "Vulnerabilities in third-party software discovered by Fluid Attacks that are not in another CNAâs scope",
  "securityAdvisories": {
    "advisories": [
      {
        "label": "Advisories",
        "url": "https://fluidattacks.com/advisories/"
      }
    ],
    "alerts": []
  },
  "shortName": "Fluid Attacks"

Cool. Now we can find all the CNAs that are only the Researcher type:

aroldan ~ $ curl -s https://www.cve.org/js/app.3611fa3b.js | grep -Eo 'g=JSON.parse\(.*\);r.Z.use' | sed -e "s/g=JSON\.parse('//g; s/');r.Z.use//g; s/<a href=\\\'//g; s/\\\' target=\\\'_blank\\\'>//g; s/\\\'//g" | json_pp | jq -c '.[] | select ( .CNA.type == ["Researcher"])' | wc -l
      16
aroldan ~  $

Surprisingly, out of the 288 current CNAs, there are just 16 Researcher-only CNAs in the world.

Performance of Researcher CNAs

We have now the CNAs that share the same type as us. At Fluid Attacks, we have a dedicated team performing research, with a clear prioritization model and a well-oiled methodology for finding vulnerabilities in software that fits our scope.

Measuring the performance of a Researcher CNA is hard because it all depends on the internal process taken to emit CVE IDs.

The only publicly available parameter to compare these CNAs is basically the number of CVE IDs assigned in total and CVE IDs assigned per year.

One of the metadata which is only visible on the JSON is the CNA ID.

aroldan ~ $ curl -s https://www.cve.org/js/app.3611fa3b.js | grep -Eo 'g=JSON.parse\(.*\);r.Z.use' | sed -e "s/g=JSON\.parse('//g; s/');r.Z.use//g; s/<a href=\\\'//g; s/\\\' target=\\\'_blank\\\'>//g; s/\\\'//g" | json_pp | jq '.[] | select ( .CNA.type == ["Researcher"] and .organizationName == "Fluid Attacks") | .cnaID'
"CNA-2021-0020"

According to the value, it is safe to assume that the CNA ID contains the year in which the organization was accepted by MITRE as CNA.

Together with that, this is the data gathered from the Researcher class CNAs:

CNA	Country	# CVEs	CNA ID Year	CVEs/Year	Ranking (Total)	Ranking (CVEs/Year)
Cyber Security Works Pvt. Ltd	India	55	2020	13.75	5	7
Fluid Attacks	Colombia	76	2021	25.33	3	4
Larry Cashdollar	USA	9	2016	1.13	10	11
Talos	USA	55	2016	6.88	5	8
Government Technology Agency of Singapore Cyber Security Group (GovTech CSG)	Singapore	18	2021	6.00	9	9
AppCheck Ltd	UK	6	2021	2.00	11	10
VulDB	Switzerland	480	2001	20.87	1	5
Dutch Institute for Vulnerability Disclosure (DIVD)	Netherlands		2022	0.00		13
Automotive Security Research Group (ASRG)	USA	1	2022	0.50	12	12
ZUSO Advanced Research Team (ZUSO ART)	Taiwan	36	2022	18.00	8	6
The Missing Link Australia (TML)	Australia	51	2022	25.50	7	3
NetRise	USA	0	2022	0.00	13	13
Austin Hackers Anonymous	USA	0	2023	0.00		13
STAR Labs SG Pte. Ltd	Singapore	100	2023	100.00	2	1
Securifera, Inc	USA	61	2023	61.00	4	2
Halborn	USA	0	2023	0.00	13	13

CNA performance analysis

VulDB is the CNA with the most CVEs assigned. However, its performance per year is ranked as fifth.
STAR Labs SG has the best CNA performance per year.
Fluid Attacks has the third-best performance in the total of CVE IDs assigned and the fourth-best in assignments per year. Not bad!
Fluid Attacks has the best performance in America!

Conclusions

This was a hacker's view of the performance of Researcher CNAs. The data shows Fluid Attacks has had an outstanding performance. Please note that there are other research teams in the world that look for vulnerabilities and report them directly via the MITRE Root CNA, but those were not included in this analysis.

Get started with Fluid Attacks' SSCS solution right now

Tags:

cybersecurity

company







Subscribe to our newsletter

Stay updated on our upcoming events and latest blog posts, advisories and other engaging resources.

Security through transparency: Be more secure by increasing trust in your software

Read post



Opinions

Jason Chavarría

•

July 26, 2024

On the Crowdstrike incident: A lesson of this global IT crash is to shift left

Read post



cover-undersupported-digital-infrastructure

Opinions

Felipe Ruiz

•

April 17, 2024

Undersupported digital infrastructure: We need you, but we can't give you any money

Read post



Opinions

Felipe Ruiz

•

April 9, 2024

Lessons learned from black swans for cybersecurity

Read post



cover-nebraska-joke-infrastructure-dependency

Opinions

Felipe Ruiz

•

March 22, 2024

The joke on someone in Nebraska: A digital infrastructure issue that many still ignore

Read post



cover-justify-investment-in-cybersecurity

Opinions

Felipe Ruiz

•

March 6, 2024

How can we justify the investment in cybersecurity?

Read post



Opinions

Jason Chavarría

•

February 6, 2024

Top 10 hacking certifications: Our pick of the hardest challenges for ethical hackers

Read post



Opinions

Felipe Ruiz

•

January 26, 2024

The mother of all breaches?

Read post



Start your 21-day free trial

Discover the benefits of our Continuous Hacking solution, which organizations of all sizes are already enjoying.

Try for free

Contact sales

Start your 21-day free trial

Discover the benefits of our Continuous Hacking solution, which organizations of all sizes are already enjoying.

Try for free

Contact sales

Start your 21-day free trial

Discover the benefits of our Continuous Hacking solution, which organizations of all sizes are already enjoying.

Try for free

Contact sales

Start your 21-day free trial

Discover the benefits of our Continuous Hacking solution, which organizations of all sizes are already enjoying.

Try for free

Contact sales

Fluid Attacks' solutions enable organizations to identify, prioritize, and remediate vulnerabilities in their software throughout the SDLC. Supported by AI, automated tools, and pentesters, Fluid Attacks accelerates companies' risk exposure mitigation and strengthens their cybersecurity posture.