Mautic authorized as a CVE Numbering Authority (CNA)

Recently we made the first major security release in several years, which also coincided with the clarification of processes and workflows the Security Team will follow should another vulnerability arise in the future.

Part of this process was to become a CVE Numbering Authority (CNA) so that we can be the single source of truth for dealing with the publishing of information relating to vulnerabilities in Mautic and officially supported plugins.

The CVE Program has today authorized Mautic as a CVE Numbering Authority (CNA).

What is a CVE?

External to our project, the Common Vulnerabilities and Exposures (CVE®) Program assigns a unique identifier to each vulnerability discovered across any participating project. This enables two or more people or tools to refer to a vulnerability and know they are talking about the same thing, resulting in significant time and cost savings.

The Common Vulnerabilities and Exposures (CVE®) Program is an international, community-based effort and relies on the community to discover vulnerabilities. The vulnerabilities are discovered, then assigned and published to the CVE List .

What is a CNA?

CNAs are organizations responsible for the regular assignment of CVE IDs to vulnerabilities, and for creating and publishing information about the Vulnerability in the associated CVE Record. Each CNA has a specific Scope of responsibility for vulnerability identification and publishing.

Within the framework of the CNA program, the Mautic Security Team can now assign CVE numbers to newly identified vulnerabilities and publicly disclose information on these vulnerabilities. The scope of this authority includes Mautic Core and officially supported plugins not covered by another CNA.

What does this mean for Mautic?

Becoming a CNA means that if anybody discovers a vulnerability with Mautic or any of the officially supported plugins, they will have to report it to the Mautic Security Team in order to be granted a CVE ID.

Previously, a report could be made to the CVE Program without involving the Mautic Security Team, which could lead to vulnerabilities being published before a fix is made available or the team even being aware of the vulnerability.

How do I report a vulnerability?

We have detailed guidelines which you can review here:

Who can I contact for more information?

Please reach out to [email protected] in the first instance.

Share this blog article:
Picture of Ruth Cheesley

Ruth Cheesley

Ruth is an Open Source advocate with over 18 years of experience using and contributing to many different projects. Having served on the Community Leadership Team of the Joomla! project and built a full-service digital agency, she now works as Project Lead for Mautic, supporting the community who build and maintain the world’s first Open Source Marketing Automation platform. Ruth is a lover of cats, a keen runner and flautist (but not at the same time!) and is based in the East of England.

More 📝's in ''

Celebration background with Colorful Party Flag and Falling Confetti
Community news

Open Startup Report #23 – January 2025

Key points Finances Income January has been a good month for income, with a Diamond tier renewal, a new Gold membership and a Community Tier


Use the search bar above by typing terms and pressing enter.