INCIBE will coordinate other relevant agencies in the designation and disclosure of vulnerabilities at the international level

The Spanish National Cybersecurity Institute (INCIBE) has been appointed Root, that is, coordinator and supervisor of other CNA, competent bodies in the designation, publication and disclosure of vulnerabilities affecting their sector and activity (CNA: CVE Numbering Authority).

Vulnerabilities are weaknesses in the computational logic of a device, located in the software and hardware components. If these vulnerabilities are exploited, they would have a negative impact on the confidentiality, integrity or availability of these devices and the information they contain.

Each CNA is responsible for the assignment and publication of CVE identifiers for products within its scope, while a Root manages a group of CNA belonging to the same domain or community. Currently, INCIBE and JPCERT/CC, are Roots under the MITRE Top Level Root. There are also 173 CNA across 29 countries actively participating in the CVE Program.

It should be remembered that CVE (Common Vulnerabilities and Exposures) is the international standard for identifying existing vulnerabilities in a given computer device. When a problem is discovered in such devices, it is analysed whether the error has been discovered previously and, if not, an identifier is assigned to it.

As a Root, INCIBE will be also responsible for ensuring the effective assignment of CVE identifiers assigned by all those CNA coordinated by INCIBE, in addition to implementing the CVE Program rules and guidelines. It will be also responsible for recruitment and on boarding of new CNA and resolving disputes within its scope. In addition, INCIBE has extended its CNA scope to those CVE candidates reported to INCIBE by Spanish researchers that are not within the scope of another CNA.

On her side, Rosa Díaz, general director of INCIBE, highlighted “The importance of this new role of the Institute, with public-private collaboration being one of the strategic points that will break down physical borders, which do not exist in the digital word, with the aim of detecting new vulnerabilities and strengthening cybersecurity capabilities so that our citizens and our companies are better protected”.

In addition, “The CVE Board is pleased to see INCIBE enhancing it’s mission of  strengthening cybersecurity by stepping up their contributions to the vulnerability management community. The CVE Board welcomes INCIBE’s new role in the program as a Root CNA.  We look forward to working with INCIBE in the days and years ahead”, noted Kent Landfield, CVE Board member and Chair of the CVE Strategic Planning Working Group.

INCIBE’s Root designation consolidates INCIBE as a key agent of trust for the exchange of this type of information among Spanish organizations, thereby promoting a greater and better exchange of information so that all parties involved in this process can make better decisions in order to continue raising the level of cybersecurity of national companies.

INCIBE as CNA

Last January, 2020, INCIBE was appointed a CNA by the CVE Program. Thus INCIBE, became the single point of contact in Spain for the reception of vulnerabilities discovered in the field of Information Technology (IT), industrial systems and Internet of Thing (IoT) devices.

For more information, please consult the CNA section of the INCIBE-CERT website.