Today, password management company Keeper Security has announced that it has been authorised by the Common Vulnerabilities and Exposures (CVE) Program as a CVE Numbering Authority (CNA). Keeper is the first password management company to join this global effort to identify, define and catalogue publicly-disclosed cybersecurity vulnerabilities.
As a CNA, Keeper has the ability to directly assign CVE IDs and publish CVE records for vulnerabilities discovered in its own source code and vulnerabilities in third-party software discovered by the Keeper team that are not in another CNA’s scope. Keeper can then publish that information via the CVE List, which information technology and cybersecurity professionals around the world use to coordinate their efforts to prioritise and address the vulnerabilities.
Craig Lurey, CTO and Co-Founder of Keeper Security, says: “Becoming a CNA partner highlights our ongoing commitment to the responsible disclosure of potential security issues. Our mission is to provide the world’s most secure and innovative cybersecurity software, and we believe that programs like CVE are a vital component to ensuring the security of all digital products and services people rely on.”
CVE is sponsored by the U.S. Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA). CISA uses the CVE List to compile its Known Exploited Vulnerability Catalogue, which organisations use to prioritise remediation of listed vulnerabilities, reducing the likelihood of compromise by known threat actors. The CVE list also feeds into the National Institute of Standards and Technology (NIST) U.S. National Vulnerability Database, which is the government repository of standards-based vulnerability management data represented using the Security Content Automation Protocol.
Keeper performs quarterly application penetration testing on all of its products and systems with 3rd party penetration testers, including NCC Group and Cybertest. These include red-team style penetration tests of both internal and externally-exposed systems with full source code access. Keeper has also partnered with Bugcrowd to manage its bug bounty and Vulnerability Disclosure Program (VDP), which rewards ethical hackers for successfully discovering and reporting vulnerabilities, leveraging the hacker community to continuously uphold Keeper’s high security standards.