NCSC-FI authorised as a CVE Numbering Authority

A vulnerability means any weakness that can potentially cause damage or that can be exploited to cause damage. Vulnerabilities can be present in information systems, software, devices, processes and household automation, in addition to which they can also arise as a result of people’s actions. You can find more information about vulnerabilities on this page (External link) of the NCSC-FI website.

The mission of the global CVE Program is to identify, define and catalog publicly disclosed cyber security vulnerabilities. The CVE Program is based on international cooperation, with discovered vulnerabilities being defined and published in a coordinated manner on the internet. CVE IDs are used by information security professionals to differentiate software vulnerabilities. In addition to an ID, each CVE Record includes detailed information about the vulnerability and its criticality, for example. A critical vulnerability can be e.g. a software bug that enables remote code execution (RCE) over the internet. Any device or software containing critical vulnerabilities should be patched immediately after the vulnerability and the fix to it are made public. For example, in 2021 a critical vulnerability in the Microsoft Exchange email server software led to over 70 organisations in Finland having their email servers compromised.

CNAs are organisations that assign CVE IDs to discovered vulnerabilities. The NCSC-FI’s role as a CNA is to assign CVE IDs to vulnerabilities in the products of Finnish organisations. “International vulnerability work is by and large volunteer work. Because of this, it is important for the parties engaging in vulnerability work to contribute to the production and maintaining of up-to-date and high-quality vulnerability data,” states Chief Specialist Juhani Eronen from the NCSC-FI. You can read MITRE’s news article about the NCSC-FI here (External link). MITRE is the National Cyber Security Centre Finland’s (NCSC-FI) root.

CVE Records are listed on the CVE List website, for example. Each CVE Record on the list has been defined and confirmed by a CNA. CVE List material is also imported directly to the U.S. National Vulnerability Database (NVD). When it comes to fixing discovered vulnerabilities, quick and broad information exchange is key. As such, the aim of the cooperation carried out under the CVE Program is to get vulnerabilities fixed as soon as possible, before they can be exploited by criminals.

“The NCSC-FI has been carrying out vulnerability coordination for a long time. We receive reports of vulnerabilities on a weekly basis, which we analyse before contacting the manufacturer of the affected products, if necessary. Becoming a CNA is a great step for us, strengthening the NCSC-FI’s position as an international information security actor,” says Information Security Adviser Matias Mesiä. You can read more about the NCSC-FI’s vulnerability coordination here (External link). More information about how to become a CNA and the associated requirements can be found here (External link).

The NCSC-FI’s vulnerability articles differentiate vulnerabilities with the help of CVE IDs. The articles focus on the most critical publicly disclosed vulnerabilities, which should be patched immediately. Often software developers will publish a patch for a discovered vulnerability, but sometimes it may be necessary to carry out other technical measures to mitigate a vulnerability while waiting for a patch.