Mautic authorized as a CVE Numbering Authority (CNA)

Recently we made the first major security release in several years, which also coincided with the clarification of processes and workflows the Security Team will follow should another vulnerability arise in the future.

Part of this process was to become a CVE Numbering Authority (CNA) so that we can be the single source of truth for dealing with the publishing of information relating to vulnerabilities in Mautic and officially supported plugins.

The CVE Program has today authorized Mautic as a CVE Numbering Authority (CNA).

What is a CVE?

External to our project, the Common Vulnerabilities and Exposures (CVE®) Program assigns a unique identifier to each vulnerability discovered across any participating project. This enables two or more people or tools to refer to a vulnerability and know they are talking about the same thing, resulting in significant time and cost savings.

The Common Vulnerabilities and Exposures (CVE®) Program is an international, community-based effort and relies on the community to discover vulnerabilities. The vulnerabilities are discovered, then assigned and published to the CVE List .

What is a CNA?

CNAs are organizations responsible for the regular assignment of CVE IDs to vulnerabilities, and for creating and publishing information about the Vulnerability in the associated CVE Record. Each CNA has a specific Scope of responsibility for vulnerability identification and publishing.

Within the framework of the CNA program, the Mautic Security Team can now assign CVE numbers to newly identified vulnerabilities and publicly disclose information on these vulnerabilities. The scope of this authority includes Mautic Core and officially supported plugins not covered by another CNA.

What does this mean for Mautic?

Becoming a CNA means that if anybody discovers a vulnerability with Mautic or any of the officially supported plugins, they will have to report it to the Mautic Security Team in order to be granted a CVE ID.

Previously, a report could be made to the CVE Program without involving the Mautic Security Team, which could lead to vulnerabilities being published before a fix is made available or the team even being aware of the vulnerability.

How do I report a vulnerability?

We have detailed guidelines which you can review here: https://www.mautic.org/mautic-security-team/how-to-report-a-security-issue

Who can I contact for more information?

Please reach out to [email protected] in the first instance.

Share this blog article:
Picture of Ruth Cheesley

Ruth Cheesley

Ruth is an Open Source advocate with over 18 years of experience using and contributing to many different projects. Having served on the Community Leadership Team of the Joomla! project and built a full-service digital agency, she now works as Project Lead for Mautic, supporting the community who build and maintain the world’s first Open Source Marketing Automation platform. Ruth is a lover of cats, a keen runner and flautist (but not at the same time!) and is based in the East of England.

More 📝's in ''

Dark blue gradient background with New Council members in white large text and the mautic logo at the bottom.
Community news

Welcome to our new Council members

As reported last year, we had two seats open for election to the Mautic Council and I’m delighted to report that both have now been

Ruth Cheesley January 27, 2025
a black background with a sparkler painting the numbers 2024 in the sky
Community news

2024: year in review

2024 is the first full year that Mautic has been an independent open source project, and what a year it’s been!

Ruth Cheesley January 17, 2025
Photo of a mug containing hot chocolate with marshmallows, and some of the marshmallows have been made into the shape of a snowman with a face drawn on and hands and ears added. There are oranges and cinnamon on the table beside and behind is a blurred image of festive lights.
Community news

Open Startup Report #22 – December 2024

Key points Finances I mentioned in November at Mautic Conference Europe my concerns that we were going to be facing a deficit at the end

Ruth Cheesley January 16, 2025

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.

MAUTIC is a trademark of the Mautic project of the Open Source Collective.

Get started now
About
Support Mautic
Social links
Facebook-f X-twitter Linkedin-in Threads Instagram Mastodon Youtube

Search

Use the search bar above by typing terms and pressing enter.