CVE Assignment and publication
Since 15 January 2020, INCIBE has been identified as CNA (CVE - Common Vulnerabilities and Exposures - Numbering Authority), taking on from this date, the good practices of said program.
This adhesion means that INCIBE becomes one of the organizations authorized to the designation of CVE identifiers within its scope, as well as their corresponding publication in the CNA section. This policy also aims to ensure that end users have some mitigation mechanism available to them before the CVE is released.
What can I notify to INCIBE-CERT's CNA?
INCIBE-CERT´s CNA manages Zero Days or vulnerabilities not yet known by the manufacturer of the affected asset, which have not been assigned a CVE identifier.
Which cases are not managed by INCIBE-CERT's CNA?
This policy does not cover the notification of vulnerabilities observed on assets when the identified vulnerability already has a CVE assigned and published. In these cases, you should contact the INCIBE-CERT incident reporting section.
How to contact INCIBE-CERT's CNA?
To report a potential CVE candidate to INCIBE-CERT CNA, send an email to the mailbox 
, where you will be guided through the entire CVE assignment and publication process.
It is advisable to transmit the information encrypted with the public PGP key associated with this mailbox (download public key), which you may also find, along its fingerprint, on the page listing our PGP keys.
The accepted languages for receiving the information are: Spanish and English.
Any communication with INCIBE-CERT CNA will be subject to INCIBE's Personal Data Protection Policy.
CVE assignment and publication process
- Once the notification is received, INCIBE will confirm its receipt and begin communication with the interested party within a period of no more than 3 working days.
- The period of assignment and publication of a CVE is agreed on a case-by-case basis with the reporting researcher and the organization responsible for the affected asset.
- Once the above period has been agreed upon, it may only be extended when the actors involved demonstrate that they are working on an effective and efficient solution to the problem.
- INCIBE will not publicly announce a CVE until the corrections are available, as long as a solution is being worked on. Likewise, if due to the characteristics of the CVE (probability of it being exploited, or the level of impact), INCIBE reserves the right to communicate, prior to the assignment and publication of the CVE, to possible interested parties.
- If for any reason, the person responsible for the remediation does not adequately evidence the performance of any type of action for its resolution, by default, the CVE may be assigned and published by INCIBE´s CNA after 60 days
Transformation of INCIBE´s role into Root
Since 17 June 2021, in addition to the coordination and assignment of CVE identifiers, INCIBE adopts the role of Root assuming the role of coordinating the possible CNAs under its scope.
As a Root, INCIBE will be also responsible for ensuring the effective assignment of CVE identifiers assigned by all those CNA coordinated by INCIBE, in addition to implementing the CVE Program rules and guidelines. It will be also responsible for recruitment and on boarding of new CNA and resolving disputes within its scope. In addition, INCIBE has extended its CNA scope to those CVE candidates reported to INCIBE by Spanish researchers that are not within the scope of another CNA.
The policies adopted by both INCIBE Root and the CNAs under its supervision are detailed below:
- End of life products policy
- Inactive CNA procedure and policy
- RBP procedure and policy
- INCIBE Root Appeal Policy
INCIBE’s Root designation consolidates INCIBE as a key agent of trust for the exchange of this type of information among Spanish organizations, thereby promoting a greater and better exchange of information so that all parties involved in this process can make better decisions in order to continue raising the level of cybersecurity of national companies.
Want to be part of the CVE program?
One of the main missions of the Roots is to promote the CVE program, inviting and creating new CNAs under its supervision.
If you want more information on how to join the program and become a CNA, you can contact us through the mailbox , from where we will indicate the necessary requirements and guide you through the entire process.
Acknowledgments
The following researchers, classified by the number of CVEs published and in alphabetical order, have participated in the CVE program coordinated by INCIBE's CNA, discovering these security problems and agreeing to be mentioned in this list, to whom we extend our thanks:
| Researcher´s Name | Reported CVE |
|---|---|
| Rafael Pedrero | 311 |
| David Utón Amaya (m3n0sd0n4ld) | 49 |
| Maximilian Hildebrand (m10x.de) | 40 |
| Aarón Flecha Menéndez | 37 |
| Gonzalo Aguilar Garcia (6h4ack) | 30 |
| Gabriel Vía Echezarreta | 23 |
| Alejandro Amorín Niño | 17 |
| Francisco Javier Medina Munuera | 16 |
| Jorge Alberto Palma Reyes | 16 |
| Pablo Arias Rodríguez | 16 |
| Sergio Román Hurtado | 16 |
| Guillermo Tuvilla Gómez | 15 |
| Antonio José Gálvez Sánchez | 14 |
| Pedro Gabaldón Juliá | 14 |
| Oscar Atienza | 13 |
| Gabriel Gonzalez García | 12 |
| Julen Garrido Estevez (B3xal) | 12 |
| Andrea Intilangelo (acme) | 11 |
| David Carrión Poza | 11 |
| Jacinto Moral Matellán | 11 |
| Pedro José Navas Pérez | 11 |
| Alejandro Baño Andrés | 10 |
| Ángel González | 10 |
| Joel Gámez Molina, @JoelGMSec | 10 |
| Albert Sánchez Miñano | 9 |
| Alexander Huaman Jaimes (@zanganox) | 9 |
| Asier Barranco | 9 |
| David Cámara Galindo | 9 |
| David Padilla Alvarado | 8 |
| Rubén Barberà Pérez | 8 |
| Miguel Segovia Gil | 6 |
| Tin Pham aka "TF1T" | 6 |
| Adrián Campazas Vega | 5 |
| Álvaro Piñero Laorden | 5 |
| Diego León Casas | 5 |
| HADESS | 5 |
| J. Daniel Martinez (dan1t0) | 5 |
| Konrad Kowal Karp | 5 |
| Ángel Heredia Pérez | 4 |
| Carlos Aguadé | 4 |
| Carlos Antonini Cepeda | 4 |
| Francisco Palma Esteo | 4 |
| Guillermo Garcia Molina | 4 |
| Héctor de Armas Padrón (@3v4SI0N) | 4 |
| Ignacio Aldarabi | 4 |
| Juampa Rodríguez | 4 |
| Luis Martín Liras | 4 |
| Pablo Valle Alvear | 4 |
| Rubén López Herrera | 4 |
| Andrés Elizalde Galdeano | 3 |
| Ángel Montilla Muñoz | 3 |
| anxx | 3 |
| Claudia Álvarez Aparicio | 3 |
| Enrique Benvenutto Navarro | 3 |
| Erlaitz Parreño Muñoz | 3 |
| Guzmán Fernández Ocaña | 3 |
| Ignacio García Mestre (Br4v3n) | 3 |
| Jesús Manzano Vázquez | 3 |
| Jorge Riopedre Vega | 3 |
| José Manuel Jerónimo | 3 |
| Juan Manuel Martínez Hernández | 3 |
| Luis Vázquez Castaño | 3 |
| Manuel Iván San Martín Castillo | 3 |
| Pablo Alcarria Lozano | 3 |
| Pau Valls Peleteiro | 3 |
| Sergio Apellániz | 3 |
| Víctor Fresco Perales (@hacefresko) | 3 |
| Víctor Rodríguez Carreño | 3 |
| Adriá Bonilla Martin | 2 |
| Alberto Gasulla | 2 |
| Alberto Miguel Diez | 2 |
| Aldayr Ruiz (xsmaky) | 2 |
| Ander Martínez Sola | 2 |
| Bertrand Lorente Yáñez | 2 |
| Carlos Polop Martin | 2 |
| Carolina Gómez Uriarte | 2 |
| David Álvarez Robles | 2 |
| David Manuel Herrera Rodríguez | 2 |
| David Matilla Rebollo | 2 |
| Edgar Carrillo Egea | 2 |
| Francisco Díaz-Pache Alonso | 2 |
| Gema de la Fuente Romero | 2 |
| Ismael Pacheco Torrecilla | 2 |
| Javier Fernandez Beré | 2 |
| Jesús Antón | 2 |
| Jesús Ródenas Huerta, @Marmeus | 2 |
| Joel Serna Moreno | 2 |
| Jorge Manuel Lozano Gómez | 2 |
| José Luis Verdeguer Navarro | 2 |
| Marina Fabregat Expósito | 2 |
| Oriol Vilella Jam | 2 |
| Pablo Lago Romaní | 2 |
| Konrad Kowal Karp @nag0mez | 2 |
| Raúl Caro Teixido | 2 |
| Raúl Fuentes Ferrer | 2 |
| Reza Rashidi | 2 |
| Sergio Corral Cristo | 2 |
| Víctor Bello Cuevas | 2 |
| Victor Fidalgo Villar | 2 |
| Adrián Marín Villar | 1 |
| Agustín Picazo (Black Giraffe) | 1 |
| Álex Rodríguez Pérez | 1 |
| Alfredo Mariños | 1 |
| Andrea Brosio | 1 |
| Andris Raugulis | 1 |
| Andrea Serrano Urea | 1 |
| @_Barriuso | 1 |
| Bruno López (n0d0n) | 1 |
| Camilo Andrés Bruna | 1 |
| Carlos Alonso Arranz | 1 |
| Carlos Galean | 1 |
| Chetani Mesa Guzmán | 1 |
| Cristhian Pacherres | 1 |
| Daniel Collado Tomé | 1 |
| Daniel Martínez Adan (adon90) | 1 |
| David Aparicio Salcedo | 1 |
| David Jiménez | 1 |
| Edmundo Figueiras Gomez | 1 |
| Ehab Hussein | 1 |
| Enrique Fernández Lorenzo (bighound) | 1 |
| Ethan Shackelford | 1 |
| Gerard Fuguet Morales | 1 |
| Germán Planells García | 1 |
| Guillermo Mejías Climent (Flamberik) | 1 |
| Héctor Sarrión | 1 |
| Ignacio Lis Malagón | 1 |
| Iker Loidi Auza | 1 |
| Ismael Melchor Juan | 1 |
| Jakob Pfister | 1 |
| Jan Adamski (johnny1337.pl) | 1 |
| Javier Garcia Antón | 1 |
| Javier Hernández | 1 |
| Javier Paradelo Rodriguez | 1 |
| Javier Valero Martí | 1 |
| Jesús Alcalde Alcázar | 1 |
| Jesús Higueras | 1 |
| Jesús Olmos Gonzales | 1 |
| Jordi Forès | 1 |
| Jorge Gutiérrez Valderrama | 1 |
| Juan González | 1 |
| Julián J. Menéndez | 1 |
| Keval Shah | 1 |
| Kevin Gonzalvo Vicente | 1 |
| Manuel Gomez Argandoña | 1 |
| Manuel Segovia Gil | 1 |
| Marcos Díaz Castiñeiras | 1 |
| Mauricio Jara | 1 |
| Miguel Gallego Vara | 1 |
| Milan Duric | 1 |
| Pablo Arriaga Perez | 1 |
| Pablo Pardo | 1 |
| Pedro Cabrera Cámara | 1 |
| Petar Alexandrov Nikolov | 1 |
| Raquel Gálvez Farfán | 1 |
| Raúl Calvo Laorden | 1 |
| Raúl Vega Arjona | 1 |
| Sergio Corchado Lucero | 1 |
| Sergio González González | 1 |
| Tarek Bouali, @iambouali | 1 |
