OpenCloudOS社区成为CNA,获得CVE颁发资质插图

2022年10月25日,OpenCloudOS社区正式通过CNA准入程序,成为官方许可的CVE编号授权机构。
OpenCloudOS 致力于打造安全可靠的操作系统平台,此次成为CVE官方授权机构是OpenCloudOS 整个生态漏洞管理下的重要事件,标志着社区已具备成熟的漏洞管理实践,对于自身生态体系下的未知漏洞响应和快速处置具有重要意义。
加入CNA后,OpenCloudOS将继续遵循业界成熟的漏洞管理标准,对于在OpenCloudOS生态下发现的软件安全漏洞,我们将提供快速响应,并和问题报告者进行积极的沟通,确保其提交的安全问题可被合理和高效的处置,并被正确地授予CVE编号。

什么是CVE?
CVE全称Common Vulnerabilities & Exposures(通用漏洞披露),是一个全球化的非营利组织。1999年9月,CVE Program(通用漏洞披露计划)建立,由来自世界各地的IT供应商、安全公司和安全研究组织组成。相关方可以通过唯一的CVE编码在漏洞数据库或安全工具中找到漏洞影响范围和修补信息,以便快速确认系统受漏洞影响的情况并获取到解决方案。

什么是CNA?
CNA全称CVE Numbering Authority(CVE编号授权机构)。CNA的成员包括供应商、开源项目、漏洞研究人员、国家/行业CERT/CC(计算机安全应急响应组)等,CNA成员负责在授权范围内分配CVE编号并对漏洞进行描述。截至8月3日,有来自35个国家的243个组织/企业加入了CNA,包括Google、Microsoft、Red Hat等。

OpenCloudOS社区始终与上下游保持良好的沟通,致力于将自身能力反哺社区,欢迎关注OpenCloudOS的安全专家和爱好者加入OpenCloudOS安全SIG,发现并提交安全问题,与我们共建操作系统生态安全。

On October 25, 2022, the OpenCloudOS community passed the CNA applying procedure and officially became a CVE numbering authority.
OpenCloudOS is committed to building a safe and reliable operating system community. It is of great significance to become the CVE numbering authority when it comes to the vulnerability management of OpenCloudOS.
After joining CNA, OpenCloudOS will continue to follow the industry’s mature vulnerability management practice. For software vulnerabilities discovered in the OpenCloudOS community, we will provide quick responses and communicate with issue reporters to ensure that the security issues they submit can be addressed reasonably and efficiently. A CVE number will be given properly if necessary.

What is CVE?
The full name of CVE is Common Vulnerabilities & Exposures, which is a global non-profit organization. In September 1999, the CVE Program (Common Vulnerability Disclosure Program) was established, consisting of IT vendors, security companies and security research organizations around the world. Relevant parties can find the vulnerability impact scope and patch information in the vulnerability database or security tool through the unique CVE number, so as to quickly confirm the system is affected by the vulnerability and obtain solutions.

What is CNA?
The full name of CNA is CVE Numbering Authority. CNA members include vendors, open source projects, vulnerability researchers, national/industry CERT/CC (Computer Security Emergency Response Team), etc. CNA members are responsible for assigning CVE numbers and describing vulnerabilities within their scope. As of August 3, 243 organizations/enterprises from 35 countries have joined CNA, including Google, Microsoft, Red Hat, etc.

The OpenCloudOS community has always maintained good communication with both upstream and downstream, and is committed to giving back its own capabilities to the community. Security experts and enthusiasts who are interested in OpenCloudOS are welcome to join the OpenCloudOS Security SIG, discover and submit security issues, and work with us to build the security foundation of the operating system.