MITRE names The Document Foundation as a CVE Numbering Authority (CNA)

Berlin, March 15, 2019 – MITRE announced that The Document Foundation, the home of LibreOffice, has been approved as CVE Numbering Authority (CNA). The Document Foundation is at the center of one of the largest free open source software ecosystems, where enterprise sponsored developers and contributors work side by side with volunteers coming from every continent. The nomination is the result of significant investments in security provided by the LibreOffice Red Hat team under Caolán McNamara leadership.

What is CVE?

Common Vulnerabilities and Exposures (CVE) is a reference list of public cybersecurity vulnerabilities, with entries that describe those vulnerabilities and provide references for them. These references are often used as the vulnerability names, especially in security updates. To date, LibreOffice has a track record of rapid response to all reported threats.

What is a CVE Numbering Authority (CNA)?

A CNA is an organization that can assign and announce CVE entries within a particular scope. Some CNAs are organizations providing CVEs for their products such as The Document Foundation.

How will The Document Foundation assign CVEs?

The Document Foundation Security Team provides a forum for all of the vendors and individuals who contribute to LibreOffice development to co-ordinate the work of protecting our users from threats related to the application.

As a CNA, The Document Foundation Security Team now has the ability to assign CVE IDs to vulnerabilities affecting our products, the ability to control the disclosure of vulnerability information without pre-publishing, and notification of vulnerabilities in our products by researchers who request a CVE ID from us.