CVE Assignment and publication
Since 15 January 2020, INCIBE has been identified as CNA (CVE - Common Vulnerabilities and Exposures - Numbering Authority), taking on from this date, the good practices of said program.
This adhesion means that INCIBE becomes one of the organizations authorized to the designation of CVE identifiers within its scope, as well as their corresponding publication in the CNA section.
This policy also aims to ensure that end users have some mitigation mechanism available to them before the CVE is released.
What can I notify to INCIBE-CERT´s CNA?
INCIBE-CERT´s CNA manages Zero Days or vulnerabilities not yet known by the manufacturer of the affected asset, which have not been assigned a CVE identifier.
Which cases are not managed by INCIBE-CERT´s CNA?
This policy does not cover the notification of vulnerabilities observed on assets when the identified vulnerability already has a CVE assigned and published. In these cases, you should contact the INCIBE-CERT incident reporting section.
How to contact INCIBE-CERT´s CNA?
To report a potential CVE candidate to INCIBE-CERT CNA, send an email to the mailbox 
, where you will be guided through the entire CVE assignment and publication process.
It is advisable to transmit the information encrypted with the public PGP key associated with this mailbox (download public key).
You can verify the authenticity of this key by downloading it to your key ring and executing the command:
$ gpg -k
The accepted languages for receiving the information are: Spanish and English.
Any communication with INCIBE-CERT CNA will be subject to INCIBE´s Personal Data Protection Policy.
CVE assignment and publication process
- Once the notification is received, INCIBE will confirm its receipt and begin communication with the interested party within a period of no more than 3 working days.
- The period of assignment and publication of a CVE is agreed on a case-by-case basis with the reporting researcher and the organization responsible for the affected asset.
- Once the above period has been agreed upon, it may only be extended when the actors involved demonstrate that they are working on an effective and efficient solution to the problem.
- INCIBE will not publicly announce a CVE until the corrections are available, as long as a solution is being worked on. Likewise, if due to the characteristics of the CVE (probability of it being exploited, or the level of impact), INCIBE reserves the right to communicate, prior to the assignment and publication of the CVE, to possible interested parties.
- If for any reason, the person responsible for the remediation does not adequately evidence the performance of any type of action for its resolution, by default, the CVE may be assigned and published by INCIBE´s CNA after 60 days
Transformation of INCIBE´s role into Root
Since 17 June 2021, in addition to the coordination and assignment of CVE identifiers, INCIBE adopts the role of Root assuming the role of coordinating the possible CNAs under its scope.
As a Root, INCIBE will be also responsible for ensuring the effective assignment of CVE identifiers assigned by all those CNA coordinated by INCIBE, in addition to implementing the CVE Program rules and guidelines. It will be also responsible for recruitment and on boarding of new CNA and resolving disputes within its scope. In addition, INCIBE has extended its CNA scope to those CVE candidates reported to INCIBE by Spanish researchers that are not within the scope of another CNA.
The policies adopted by both INCIBE Root and the CNAs under its supervision are detailed below:
- End of life products policy
- Inactive CNA procedure and policy
- RBP procedure and policy
- INCIBE Root Appeal Policy
INCIBE’s Root designation consolidates INCIBE as a key agent of trust for the exchange of this type of information among Spanish organizations, thereby promoting a greater and better exchange of information so that all parties involved in this process can make better decisions in order to continue raising the level of cybersecurity of national companies.
Want to be part of the CVE program?
One of the main missions of the Roots is to promote the CVE program, inviting and creating new CNAs under its supervision.
If you want more information on how to join the program and become a CNA, you can contact us through the mailbox , from where we will indicate the necessary requirements and guide you through the entire process.
Acknowledgments
The following researchers, classified by the number of CVEs published and in alphabetical order, have participated in the CVE program coordinated by INCIBE´s CNA, discovering these security problems and agreeing to be mentioned in this list, to whom we extend our thanks:
| Researcher´s Name | Reported CVE |
|---|---|
| Rafael Pedrero | 137 |
| Jorge Alberto Palma Reyes | 16 |
| Pablo Arias Rodríguez | 16 |
| Sergio Román Hurtado | 16 |
| Aarón Flecha Menéndez | 15 |
| Alejandro Amorín Niño | 15 |
| Guillermo Tuvilla Gómez | 15 |
| David Utón Amaya (m3n0sd0n4ld) | 12 |
| Jacinto Moral Matellán | 11 |
| Francisco Javier Medina Munuera | 10 |
| Joel Gámez Molina, @JoelGMSec | 10 |
| Albert Sánchez Miñano | 9 |
| David Cámara Galindo | 9 |
| Antonio José Gálvez Sánchez | 8 |
| Pedro Gabaldón Juliá | 8 |
| Pedro José Navas Pérez | 8 |
| Rubén Barberà Pérez | 8 |
| Gabriel Gonzalez García | 6 |
| Tin Pham aka "TF1T" | 6 |
| HADESS | 5 |
| Alejandro Baño Andrés | 4 |
| Carlos Antonini Cepeda | 4 |
| Diego León Casas | 4 |
| Francisco Palma Esteo | 4 |
| Guillermo Garcia Molina | 4 |
| Juampa Rodríguez | 4 |
| Luis Martín Liras | 4 |
| Oscar Atienza | 4 |
| Pablo Valle Alvear | 4 |
| Rubén López Herrera | 4 |
| Alexander Huaman Jaimes (@zanganox) | 3 |
| Andrés Elizalde Galdeano | 3 |
| anxx | 3 |
| Enrique Benvenutto Navarro | 3 |
| Gabriel Vía Echezarreta | 3 |
| J. Daniel Martinez (dan1t0) | 3 |
| Konrad Kowal Karp | 3 |
| Luis Vázquez Castaño | 3 |
| Miguel Segovia Gil | 3 |
| Sergio Apellániz | 3 |
| Adrián Campazas Vega | 2 |
| Alberto Miguel Diez | 2 |
| Ander Martínez Sola | 2 |
| Ángel Heredia Pérez | 2 |
| David Álvarez Robles | 2 |
| David Matilla Rebollo | 2 |
| Francisco Díaz-Pache Alonso | 2 |
| Héctor de Armas Padrón (@3v4SI0N) | 2 |
| Jesús Antón | 2 |
| Jesús Ródenas Huerta, @Marmeus | 2 |
| Joel Serna Moreno | 2 |
| José Luis Verdeguer Navarro | 2 |
| @nag0mez | 2 |
| Sergio Corral Cristo | 2 |
| Victor Fidalgo Villar | 2 |
| Víctor Fresco Perales (@hacefresko) | 2 |
| Agustín Picazo (Black Giraffe) | 1 |
| @_Barriuso | 1 |
| Camilo Andrés Bruna | 1 |
| Daniel Martínez Adan (adon90) | 1 |
| David Jiménez | 1 |
| David Manuel Herrera Rodríguez | 1 |
| Edgar Carrillo Egea | 1 |
| Gerard Fuguet Morales | 1 |
| Germán Planells García | 1 |
| Ignacio García Mestre (Br4v3n) | 1 |
| Ignacio Lis Malagón | 1 |
| Iker Loidi Auza | 1 |
| Jan Adamski (johnny1337.pl) | 1 |
| Javier Garcia Antón | 1 |
| Jesús Olmos Gonzales | 1 |
| Jorge Gutiérrez Valderrama | 1 |
| Jorge Manuel Lozano Gómez | 1 |
| Juan González | 1 |
| Julián J. Menéndez | 1 |
| Keval Shah | 1 |
| Manuel Segovia Gil | 1 |
| Pablo Alcarria Lozano | 1 |
| Petar Alexandrov Nikolov | 1 |
| Sergio González González | 1 |
| Tarek Bouali, @iambouali | 1 |
