From the beginning of August, CERT Polska, as the only institution in Poland and one of 7 CERTs in Europe, can assign CVE numbers, which are used to identify, define, and catalog publicly disclosed cybersecurity vulnerabilities.

Operating on a unified vulnerabilities database significantly increases the effectiveness of actions taken by affected entities. We needed an organization in Poland operating in the CVE program, and as of today, we have it – emphasizes Sebastian Kondraszuk, head of CERT Polska.

What is CVE?

CVE, or Common Vulnerabilities and Exposures, is an international program supporting the disclosure of security vulnerabilities in computer software. Anyone who finds a vulnerability can report it to an organization that is a CNA. CNAs are organizations responsible for the regular assignment of CVE IDs to vulnerabilities, and for creating and publishing information in the associated CVE Records. As of today, such a function is performed by CERT Polska.

The CVE database is public and available for free to anyone. It is the basis for organizations around the world in identifying and tracking information about new security vulnerabilities. The CVE list also feeds the US National Vulnerability Database (NVD), where CVE records can be conveniently viewed.

CERT Polska's participation in the program is an extremely important element in our development plan. It is also a significant point arising from the obligations under the NIS2 directive - Kondraszuk points out, adding that CNA status is a reason for satisfaction and a confirmation of the CERT Polska's high standards in handling this type of reports.

More about the policy of reporting vulnerabilities to CERT Polska and the principles of the CVE program can be found on the dedicated website: https://cert.pl/cvd/.