Since 15 January 2020, INCIBE has been identified as CNA (CVE - Common Vulnerabilities and Exposures - Numbering Authority), taking on from this date, the good practices of said program.
This policy also aims to ensure that end users have some mitigation mechanism available to them before the CVE is released.
What can I notify to INCIBE´s CNA?
INCIBE´s CNA manages Zero Days or vulnerabilities not yet known by the manufacturer of the affected asset, which have not been assigned a CVE identifier.
Which cases are not managed by INCIBE´s CNA?
This policy does not cover the notification of vulnerabilities observed on assets when the identified vulnerability already has a CVE assigned and published. In these cases, you should contact the INCIBE incident reporting section.
How to contact INCIBE´s CNA?
To report a potential CVE candidate to INCIBE CNA, send an email to the mailbox , where you will be guided through the entire CVE assignment and publication process.
It is advisable to transmit the information encrypted with the public PGP key associated with this mailbox (download public key).
You can verify the authenticity of this key by downloading it to your key ring and executing the command:
$ gpg -k pub rsa4096 2019-12-20 [expires: 2021-12-19] key fingerprint E3AD A30A 89B3 F90D 5FBB 624B B5FA AD1E 641B AA47 uid Spanish National CNA <> sub rsa4096 2019-12-20 [expires: 2021-12-19] sub rsa4096 2019-12-20 [expires: 2021-12-19]
The accepted languages for receiving the information are: Spanish and English.
CVE assignment and publication process
- Once the notification is received, INCIBE will confirm its receipt and begin communication with the interested party within a period of no more than 72 hours.
- The period of assignment and publication of a CVE is agreed on a case-by-case basis with the reporting researcher and the organization responsible for the affected asset.
- Once the above period has been agreed upon, it may only be extended when the actors involved demonstrate that they are working on an effective and efficient solution to the problem.
- INCIBE will not publicly announce a CVE until the corrections are available, as long as a solution is being worked on. Likewise, if due to the characteristics of the CVE (probability of it being exploited, or the level of impact), INCIBE reserves the right to communicate, prior to the assignment and publication of the CVE, to possible interested parties.
- If for any reason, the person responsible for the remediation does not adequately evidence the performance of any type of action for its resolution, by default, the CVE may be assigned and published by INCIBE´s CNA after 60 days
Transformation of INCIBE´s role into Root
Since 17 June 2021, in addition to the coordination and assignment of CVE identifiers, INCIBE adopts the role of Root assuming the role of coordinating the possible CNAs under its scope.
As a Root, INCIBE will be also responsible for ensuring the effective assignment of CVE identifiers assigned by all those CNA coordinated by INCIBE, in addition to implementing the CVE Program rules and guidelines. It will be also responsible for recruitment and on boarding of new CNA and resolving disputes within its scope. In addition, INCIBE has extended its CNA scope to those CVE candidates reported to INCIBE by Spanish researchers that are not within the scope of another CNA.
The policies adopted by both INCIBE Root and the CNAs under its supervision are detailed below:
- End of life products policy
- Inactive CNA procedure and policy
- RBP procedure and policy
- INCIBE Root Appeal Policy
INCIBE’s Root designation consolidates INCIBE as a key agent of trust for the exchange of this type of information among Spanish organizations, thereby promoting a greater and better exchange of information so that all parties involved in this process can make better decisions in order to continue raising the level of cybersecurity of national companies.
Want to be part of the CVE program?
One of the main missions of the Roots is to promote the CVE program, inviting and creating new CNAs under its supervision.
If you want more information on how to join the program and become a CNA, you can contact us through the mailbox , from where we will indicate the necessary requirements and guide you through the entire process.
The following researchers, classified by the number of CVEs published and in alphabetical order, have participated in the CVE program coordinated by INCIBE´s CNA, discovering these security problems and agreeing to be mentioned in this list, to whom we extend our thanks:
|Position||Researcher´s Name||Reported CVE|
|1||Aarón Flecha Menéndez||8|
|2||Luis Martín Liras||4|
|3||Ander Martínez Sola||1|
|3||Diego León Casas||1|
|3||Francisco Palma Esteo||1|
|3||Jorge Alberto Palma Reyes||1|
|3||Luis Vázquez Castaño||1|
|3||Pablo Sebastián Arias Rodríguez||1|
|3||Rubén Barberà Pérez||1|