CNAs Intelligence

A hacker's view of the performance of Researcher CNAs

Blog CNAs Intelligence

| 6 min read

Contact us

On June 2, 2021, Fluid Attacks was admitted as a CNA by MITRE. A CVE Numbering Authority, or CNA, is responsible for assigning CVE IDs to vulnerabilities found in software. MITRE grants the CNA the right to determine whether certain issue can be considered a vulnerability. That means that as a CNA it's at our discretion whether to flag an issue as a vulnerability based on whether there's a violation of the security policy of the application, whether there's any negative impact on the product, and the analysis of the product owner regarding the issue.

The other variable in the responsibility of CNAs is the chosen software. MITRE limits the scope of CVE ID assignment to software that is licensable and publicly available, either paid or free. Also, each CNA has a scope. Some CNAs assign CVE IDs only to their own products (Microsoft, Apple, Adobe, for example). Our scope is any software that is not within the scope of other CNAs, which means that we can't assign CVE IDs to products from Microsoft, for example, but still, the universe of software is huge.

Having the ability to assign CVE IDs, our research team has created a Disclosure Policy, which we follow to talk to a vendor privately once we have identified a possible vulnerability in their software. In an ideal world, the vendor would acknowledge the vulnerabilities, create fixes and inform us of this within a defined period of time, after which we make the vulnerability public in our Advisories page. More information on our disclosure process is detailed here.

To this date, we have assigned 76 CVE IDs and want to check our performance with similar CNAs. Let's first see the process of gathering the information.

Gathering the data

As mentioned before, every CNA has a defined scope, but there is additional metadata associated to the CNAs.

MITRE provides certain ways to interact with their information. Red Hat created a tool which can be used to check basic information of the CNA, reserve CVE IDs and list the IDs published and reserved, among other tasks.

aroldan ~  $ cve org
Fluid Attacks — Fluid Attacks
├─ Roles: CNA
├─ Created: Wed Jun  2 19:49:20 2021
└─ Modified:    Fri May  5 03:13:21 2023
aroldan ~  $ cve list | grep PUBLISHED | wc -l
      76
aroldan ~  $ cve list | head -2
CVE ID           STATE       OWNING CNA      RESERVED BY                                RESERVED ON
CVE-2022-0698    PUBLISHED   Fluid Attacks   aroldan (Fluid Attacks)   Mon Feb 21 02:32:28 2022
aroldan ~  $ cve show CVE-2022-0698
CVE-2022-0698
├─ State:   PUBLISHED
├─ Owning CNA:  Fluid Attacks
├─ Reserved by: aroldan (Fluid Attacks)
└─ Reserved on: Mon Feb 21 02:32:28 2022

But it is limited only to the current CNA, which is identified using certain secret parameters.

Other information can be seen on the CVE Program's List of Partners.

List of Partners

As can be seen, Fluid Attacks' organization type is Researcher. To check our performance with other Researcher CNAs, we must first filter what other CNAs have the same type. A CNA can have multiple types:

Airbus

Airbus, for example, is both a Vendor and a Researcher, and its scope includes Airbus products as well as third-party software.

However, we just want to check CNAs that have only the type Researcher, just like us.

That List of Partners has a filter field but it's not very advanced. But if we use simple tools, we see that the List of Partners page is actually a client-side application bundled into a JS file:

GetJS

That JS script has actually little code, but has embedded a JSON with all the CNAs information:

ParseJS1

With some simple filters, the JSON can be extracted from the JS:

aroldan ~ $ curl -s https://www.cve.org/js/app.3611fa3b.js | grep -Eo 'g=JSON.parse\(.*\);r.Z.use' | sed -e "s/g=JSON\.parse('//g; s/');r.Z.use//g; s/<a href=\\\'//g; s/\\\' target=\\\'_blank\\\'>//g; s/\\\'//g" | json_pp
[
   {
      "CNA" : {
         "TLR" : {
            "organizationName" : "MITRE Corporation",
            "shortName" : "mitre"
         },
         "isRoot" : false,
         "roles" : [
            {
               "helpText" : "",
               "role" : "CNA"
            }
         ],
         "root" : {
            "organizationName" : "n/a",
            "shortName" : "n/a"
         },
         "type" : [
            "Vendor"
         ]
      },
      "cnaID" : "CNA-2009-0001",
      "contact" : [
         {
            "contact" : [
               {
                  "label" : "Adobe security contact page",
                  "url" : "https://helpx.adobe.com/security/alertus.html"
               }
            ],
...

And with the extracted JSON, queries can be made directly. First, let's list the number of CNAs:

aroldan ~ $ curl -s https://www.cve.org/js/app.3611fa3b.js | grep -Eo 'g=JSON.parse\(.*\);r.Z.use' | sed -e "s/g=JSON\.parse('//g; s/');r.Z.use//g; s/<a href=\\\'//g; s/\\\' target=\\\'_blank\\\'>//g; s/\\\'//g" | json_pp | jq -c '.[]' | wc -l
     288
aroldan ~  $

Nice. To the date of this writing, there are 288 CNAs active.

As we can search now with any filter, let's check Fluid Attacks' CNA metadata:

aroldan ~ $ curl -s https://www.cve.org/js/app.3611fa3b.js | grep -Eo 'g=JSON.parse\(.*\);r.Z.use' | sed -e "s/g=JSON\.parse('//g; s/');r.Z.use//g; s/<a href=\\\'//g; s/\\\' target=\\\'_blank\\\'>//g; s/\\\'//g" | json_pp | jq '.[] | select (.organizationName == "Fluid Attacks")'
{
  "CNA": {
    "TLR": {
      "organizationName": "MITRE Corporation",
      "shortName": "mitre"
    },
    "isRoot": false,
    "roles": [
      {
        "helpText": "",
        "role": "CNA"
      }
    ],
    "root": {
      "organizationName": "n/a",
      "shortName": "n/a"
    },
    "type": [
      "Researcher"
    ]
  },
  "cnaID": "CNA-2021-0020",
  "contact": [
    {
      "contact": [],
      "email": [
        {
          "emailAddr": "[email protected]",
          "label": "Email"
        }
      ],
      "form": []
    }
  ],
  "country": "Colombia",
  "disclosurePolicy": [
    {
      "label": "Policy",
      "language": "",
      "url": "https://fluidattacks.com/advisories/policy/"
    }
  ],
  "organizationName": "Fluid Attacks",
  "resources": [],
  "scope": "Vulnerabilities in third-party software discovered by Fluid Attacks that are not in another CNA’s scope",
  "securityAdvisories": {
    "advisories": [
      {
        "label": "Advisories",
        "url": "https://fluidattacks.com/advisories/"
      }
    ],
    "alerts": []
  },
  "shortName": "Fluid Attacks"
}

Cool. Now we can find all the CNAs that are only the Researcher type:

aroldan ~ $ curl -s https://www.cve.org/js/app.3611fa3b.js | grep -Eo 'g=JSON.parse\(.*\);r.Z.use' | sed -e "s/g=JSON\.parse('//g; s/');r.Z.use//g; s/<a href=\\\'//g; s/\\\' target=\\\'_blank\\\'>//g; s/\\\'//g" | json_pp | jq -c '.[] | select ( .CNA.type == ["Researcher"])' | wc -l
      16
aroldan ~  $

Surprisingly, out of the 288 current CNAs, there are just 16 Researcher-only CNAs in the world.

Get started with Fluid Attacks' Red Teaming solution right now

Performance of Researcher CNAs

We have now the CNAs that share the same type as us. At Fluid Attacks, we have a dedicated team performing research, with a clear prioritization model and a well-oiled methodology for finding vulnerabilities in software that fits our scope.

Measuring the performance of a Researcher CNA is hard because it all depends on the internal process taken to emit CVE IDs.

The only publicly available parameter to compare these CNAs is basically the number of CVE IDs assigned in total and CVE IDs assigned per year.

One of the metadata which is only visible on the JSON is the CNA ID.

aroldan ~ $ curl -s https://www.cve.org/js/app.3611fa3b.js | grep -Eo 'g=JSON.parse\(.*\);r.Z.use' | sed -e "s/g=JSON\.parse('//g; s/');r.Z.use//g; s/<a href=\\\'//g; s/\\\' target=\\\'_blank\\\'>//g; s/\\\'//g" | json_pp | jq '.[] | select ( .CNA.type == ["Researcher"] and .organizationName == "Fluid Attacks") | .cnaID'
"CNA-2021-0020"

According to the value, it is safe to assume that the CNA ID contains the year in which the organization was accepted by MITRE as CNA.

Together with that, this is the data gathered from the Researcher class CNAs:

CNACountry# CVEsCNA ID YearCVEs/YearRanking (Total)Ranking (CVEs/Year)
Cyber Security Works Pvt. LtdIndia55202013.7557
Fluid AttacksColombia76202125.3334
Larry CashdollarUSA920161.131011
TalosUSA5520166.8858
Government Technology Agency of Singapore Cyber Security Group (GovTech CSG)Singapore1820216.0099
AppCheck LtdUK620212.001110
VulDBSwitzerland480200120.8715
Dutch Institute for Vulnerability Disclosure (DIVD)Netherlands20220.0013
Automotive Security Research Group (ASRG)USA120220.501212
ZUSO Advanced Research Team (ZUSO ART)Taiwan36202218.0086
The Missing Link Australia (TML)Australia51202225.5073
NetRiseUSA020220.001313
Austin Hackers AnonymousUSA020230.0013
STAR Labs SG Pte. LtdSingapore1002023100.0021
Securifera, IncUSA61202361.0042
HalbornUSA020230.001313

CNA performance analysis

  • VulDB is the CNA with the most CVEs assigned. However, its performance per year is ranked as fifth.
  • STAR Labs SG has the best CNA performance per year.
  • Fluid Attacks has the third-best performance in the total of CVE IDs assigned and the fourth-best in assignments per year. Not bad!
  • Fluid Attacks has the best performance in America!

Conclusions

This was a hacker's view of the performance of Researcher CNAs. The data shows Fluid Attacks has had an outstanding performance. Please note that there are other research teams in the world that look for vulnerabilities and report them directly via the MITRE Root CNA, but those were not included in this analysis.

Subscribe to our blog

Sign up for Fluid Attacks' weekly newsletter.

Recommended blog posts

You might be interested in the following related posts.

Photo by Jasmin Egger on Unsplash

If the essential security layer is flawed, you're toast

Photo by Christian Wiediger on Unsplash

The need to enhance security within the fintech sector

Photo by Claudio Schwarz on Unsplash

Is your financial service as secure as you think?

Photo by mitchell kavan on Unsplash

Bringing the zero trust model to life

Photo by Brian Kelly on Unsplash

We need you, but we can't give you any money

Photo by Sean Pollock on Unsplash

Data breaches that left their mark on time

Photo by Roy Muz on Unsplash

Lessons learned from black swans

Start your 21-day free trial

Discover the benefits of our Continuous Hacking solution, which hundreds of organizations are already enjoying.

Start your 21-day free trial
Fluid Logo Footer

Hacking software for over 20 years

Fluid Attacks tests applications and other systems, covering all software development stages. Our team assists clients in quickly identifying and managing vulnerabilities to reduce the risk of incidents and deploy secure technology.

Copyright © 0 Fluid Attacks. We hack your software. All rights reserved.