CVE Assignment and publication

Since 15 January 2020, INCIBE has been identified as CNA (CVE - Common Vulnerabilities and Exposures - Numbering Authority), taking on from this date, the good practices of said program.

This adhesion means that INCIBE becomes one of the organizations authorized to the designation of CVE identifiers within its scope, as well as their corresponding publication in the CNA section. This policy also aims to ensure that end users have some mitigation mechanism available to them before the CVE is released.

What can I notify to INCIBE-CERT's CNA?

INCIBE-CERT´s CNA manages Zero Days or vulnerabilities not yet known by the manufacturer of the affected asset, which have not been assigned a CVE identifier.

Which cases are not managed by INCIBE-CERT's CNA?

This policy does not cover the notification of vulnerabilities observed on assets when the identified vulnerability already has a CVE assigned and published. In these cases, you should contact the INCIBE-CERT incident reporting section.

How to contact INCIBE-CERT's CNA?

To report a potential CVE candidate to INCIBE-CERT CNA, send an email to the mailbox c v e dash c o o r d i n a t i o n at i n c i b e dot e s, where you will be guided through the entire CVE assignment and publication process.

It is advisable to transmit the information encrypted with the public PGP key associated with this mailbox (download public key), which you may also find, along its fingerprint, on the page listing our PGP keys.

The accepted languages for receiving the information are: Spanish and English.

Any communication with INCIBE-CERT CNA will be subject to INCIBE's Personal Data Protection Policy.

CVE assignment and publication process

  • Once the notification is received, INCIBE will confirm its receipt and begin communication with the interested party within a period of no more than 3 working days.
  • The period of assignment and publication of a CVE is agreed on a case-by-case basis with the reporting researcher and the organization responsible for the affected asset.
  • Once the above period has been agreed upon, it may only be extended when the actors involved demonstrate that they are working on an effective and efficient solution to the problem.
  • INCIBE will not publicly announce a CVE until the corrections are available, as long as a solution is being worked on. Likewise, if due to the characteristics of the CVE (probability of it being exploited, or the level of impact), INCIBE reserves the right to communicate, prior to the assignment and publication of the CVE, to possible interested parties.
  • If for any reason, the person responsible for the remediation does not adequately evidence the performance of any type of action for its resolution, by default, the CVE may be assigned and published by INCIBE´s CNA after 60 days

Transformation of INCIBE´s role into Root

Since 17 June 2021, in addition to the coordination and assignment of CVE identifiers, INCIBE adopts the role of Root assuming the role of coordinating the possible CNAs under its scope.

As a Root, INCIBE will be also responsible for ensuring the effective assignment of CVE identifiers assigned by all those CNA coordinated by INCIBE, in addition to implementing the CVE Program rules and guidelines. It will be also responsible for recruitment and on boarding of new CNA and resolving disputes within its scope. In addition, INCIBE has extended its CNA scope to those CVE candidates reported to INCIBE by Spanish researchers that are not within the scope of another CNA.

The policies adopted by both INCIBE Root and the CNAs under its supervision are detailed below:

INCIBE’s Root designation consolidates INCIBE as a key agent of trust for the exchange of this type of information among Spanish organizations, thereby promoting a greater and better exchange of information so that all parties involved in this process can make better decisions in order to continue raising the level of cybersecurity of national companies.

Want to be part of the CVE program?

One of the main missions of the Roots is to promote the CVE program, inviting and creating new CNAs under its supervision.

If you want more information on how to join the program and become a CNA, you can contact us through the mailbox c v e guion c o o r d i n a t i o n a r r o b a i n c i b e p u n t o e s, from where we will indicate the necessary requirements and guide you through the entire process.

Acknowledgments

The following researchers, classified by the number of CVEs published and in alphabetical order, have participated in the CVE program coordinated by INCIBE's CNA, discovering these security problems and agreeing to be mentioned in this list, to whom we extend our thanks:

Researcher´s NameReported CVE
Rafael Pedrero311
David Utón Amaya (m3n0sd0n4ld)49
Maximilian Hildebrand (m10x.de)40
Aarón Flecha Menéndez37
Gonzalo Aguilar Garcia (6h4ack)30
Gabriel Vía Echezarreta23
Alejandro Amorín Niño17
Francisco Javier Medina Munuera16
Jorge Alberto Palma Reyes16
Pablo Arias Rodríguez16
Sergio Román Hurtado16
Guillermo Tuvilla Gómez15
Antonio José Gálvez Sánchez14
Pedro Gabaldón Juliá14
Oscar Atienza13
Gabriel Gonzalez García12
Julen Garrido Estevez (B3xal)12
Andrea Intilangelo (acme)11
David Carrión Poza11
Jacinto Moral Matellán11
Pedro José Navas Pérez11
Alejandro Baño Andrés10
Ángel González10
Joel Gámez Molina, @JoelGMSec10
Albert Sánchez Miñano9
Alexander Huaman Jaimes (@zanganox)9
Asier Barranco9
David Cámara Galindo9
David Padilla Alvarado8
Rubén Barberà Pérez8
Miguel Segovia Gil6
Tin Pham aka "TF1T"6
Adrián Campazas Vega5
Álvaro Piñero Laorden5
Diego León Casas5
HADESS5
J. Daniel Martinez (dan1t0)5
Konrad Kowal Karp5
Ángel Heredia Pérez4
Carlos Aguadé4
Carlos Antonini Cepeda4
Francisco Palma Esteo4
Guillermo Garcia Molina4
Héctor de Armas Padrón (@3v4SI0N)4
Ignacio Aldarabi4
Juampa Rodríguez4
Luis Martín Liras4
Pablo Valle Alvear4
Rubén López Herrera4
Andrés Elizalde Galdeano3
Ángel Montilla Muñoz3
anxx3
Claudia Álvarez Aparicio3
Enrique Benvenutto Navarro3
Erlaitz Parreño Muñoz3
Guzmán Fernández Ocaña3
Ignacio García Mestre (Br4v3n)3
Jesús Manzano Vázquez3
Jorge Riopedre Vega3
José Manuel Jerónimo3
Juan Manuel Martínez Hernández3
Luis Vázquez Castaño3
Manuel Iván San Martín Castillo3
Pablo Alcarria Lozano3
Pau Valls Peleteiro3
Sergio Apellániz3
Víctor Fresco Perales (@hacefresko)3
Víctor Rodríguez Carreño3
Adriá Bonilla Martin2
Alberto Gasulla2
Alberto Miguel Diez2
Aldayr Ruiz (xsmaky)2
Ander Martínez Sola2
Bertrand Lorente Yáñez2
Carlos Polop Martin2
Carolina Gómez Uriarte2
David Álvarez Robles2
David Manuel Herrera Rodríguez2
David Matilla Rebollo2
Edgar Carrillo Egea2
Francisco Díaz-Pache Alonso2
Gema de la Fuente Romero2
Ismael Pacheco Torrecilla2
Javier Fernandez Beré2
Jesús Antón2
Jesús Ródenas Huerta, @Marmeus2
Joel Serna Moreno2
Jorge Manuel Lozano Gómez2
José Luis Verdeguer Navarro2
Marina Fabregat Expósito2
Oriol Vilella Jam2
Pablo Lago Romaní2
Konrad Kowal Karp @nag0mez2
Raúl Caro Teixido2
Raúl Fuentes Ferrer2
Reza Rashidi2
Sergio Corral Cristo2
Víctor Bello Cuevas2
Victor Fidalgo Villar2
Adrián Marín Villar1
Agustín Picazo (Black Giraffe)1
Álex Rodríguez Pérez1
Alfredo Mariños1
Andrea Brosio1
Andris Raugulis1
Andrea Serrano Urea1
@_Barriuso1
Bruno López (n0d0n)1
Camilo Andrés Bruna1
Carlos Alonso Arranz1
Carlos Galean1
Chetani Mesa Guzmán1
Cristhian Pacherres1
Daniel Collado Tomé1
Daniel Martínez Adan (adon90)1
David Aparicio Salcedo1
David Jiménez1
Edmundo Figueiras Gomez1
Ehab Hussein1
Enrique Fernández Lorenzo (bighound)1
Ethan Shackelford1
Gerard Fuguet Morales1
Germán Planells García1
Guillermo Mejías Climent (Flamberik)1
Héctor Sarrión1
Ignacio Lis Malagón1
Iker Loidi Auza1
Ismael Melchor Juan1
Jakob Pfister1
Jan Adamski (johnny1337.pl)1
Javier Garcia Antón1
Javier Hernández1
Javier Paradelo Rodriguez1
Javier Valero Martí 1
Jesús Alcalde Alcázar1
Jesús Higueras1
Jesús Olmos Gonzales1
Jordi Forès1
Jorge Gutiérrez Valderrama1
Juan González1
Julián J. Menéndez1
Keval Shah1
Kevin Gonzalvo Vicente1
Manuel Gomez Argandoña1
Manuel Segovia Gil1
Marcos Díaz Castiñeiras 1
Mauricio Jara1
Miguel Gallego Vara1
Milan Duric1
Pablo Arriaga Perez1
Pablo Pardo1
Pedro Cabrera Cámara1
Petar Alexandrov Nikolov1
Raquel Gálvez Farfán1
Raúl Calvo Laorden1
Raúl Vega Arjona1
Sergio Corchado Lucero1
Sergio González González1
Tarek Bouali, @iambouali1
Compartir en Redes Sociales