CVE Assignment and publication

Since 15 January 2020, INCIBE has been identified as CNA (CVE - Common Vulnerabilities and Exposures - Numbering Authority), taking on from this date, the good practices of said program.

This adhesion means that INCIBE becomes one of the organizations authorized to the designation of CVE identifiers within its scope, as well as their corresponding publication in the CNA section.

This policy also aims to ensure that end users have some mitigation mechanism available to them before the CVE is released.

What can I notify to INCIBE-CERT´s CNA?

INCIBE-CERT´s CNA manages Zero Days or vulnerabilities not yet known by the manufacturer of the affected asset, which have not been assigned a CVE identifier.

Which cases are not managed by INCIBE-CERT´s CNA?

This policy does not cover the notification of vulnerabilities observed on assets when the identified vulnerability already has a CVE assigned and published. In these cases, you should contact the INCIBE-CERT incident reporting section.

How to contact INCIBE-CERT´s CNA?

To report a potential CVE candidate to INCIBE-CERT CNA, send an email to the mailbox c v e guion c o o r d i n a t i o n a r r o b a i n c i b e p u n t o e s, where you will be guided through the entire CVE assignment and publication process.

It is advisable to transmit the information encrypted with the public PGP key associated with this mailbox (download public key).

You can verify the authenticity of this key by downloading it to your key ring and executing the command:

$ gpg -k c v e guion c o o r d i n a t i o n a r r o b a i n c i b e p u n t o e s
pub rsa4096 2023-05-09 [SC] [caduca: 2025-05-09]
key fingerprint 8A80 0F04 92D0 3D3A A476 39A9 D15B CED5 B696 4FCF
uid [  absoluta ] Spanish National CNA (2023-2025) <c v e guion c o o r d i n a t i o n a r r o b a i n c i b e p u n t o e s>
sub rsa4096 2023-05-09 [E] [caduca: 2025-05-09]

The accepted languages for receiving the information are: Spanish and English.

Any communication with INCIBE-CERT CNA will be subject to INCIBE´s Personal Data Protection Policy.

CVE assignment and publication process

  • Once the notification is received, INCIBE will confirm its receipt and begin communication with the interested party within a period of no more than 3 working days.
  • The period of assignment and publication of a CVE is agreed on a case-by-case basis with the reporting researcher and the organization responsible for the affected asset.
  • Once the above period has been agreed upon, it may only be extended when the actors involved demonstrate that they are working on an effective and efficient solution to the problem.
  • INCIBE will not publicly announce a CVE until the corrections are available, as long as a solution is being worked on. Likewise, if due to the characteristics of the CVE (probability of it being exploited, or the level of impact), INCIBE reserves the right to communicate, prior to the assignment and publication of the CVE, to possible interested parties.
  • If for any reason, the person responsible for the remediation does not adequately evidence the performance of any type of action for its resolution, by default, the CVE may be assigned and published by INCIBE´s CNA after 60 days

Transformation of INCIBE´s role into Root

Since 17 June 2021, in addition to the coordination and assignment of CVE identifiers, INCIBE adopts the role of Root assuming the role of coordinating the possible CNAs under its scope.

As a Root, INCIBE will be also responsible for ensuring the effective assignment of CVE identifiers assigned by all those CNA coordinated by INCIBE, in addition to implementing the CVE Program rules and guidelines. It will be also responsible for recruitment and on boarding of new CNA and resolving disputes within its scope. In addition, INCIBE has extended its CNA scope to those CVE candidates reported to INCIBE by Spanish researchers that are not within the scope of another CNA.

The policies adopted by both INCIBE Root and the CNAs under its supervision are detailed below:

INCIBE’s Root designation consolidates INCIBE as a key agent of trust for the exchange of this type of information among Spanish organizations, thereby promoting a greater and better exchange of information so that all parties involved in this process can make better decisions in order to continue raising the level of cybersecurity of national companies.

Want to be part of the CVE program?

One of the main missions of the Roots is to promote the CVE program, inviting and creating new CNAs under its supervision.

If you want more information on how to join the program and become a CNA, you can contact us through the mailbox c v e guion c o o r d i n a t i o n a r r o b a i n c i b e p u n t o e s, from where we will indicate the necessary requirements and guide you through the entire process.

Acknowledgments

The following researchers, classified by the number of CVEs published and in alphabetical order, have participated in the CVE program coordinated by INCIBE´s CNA, discovering these security problems and agreeing to be mentioned in this list, to whom we extend our thanks:

Researcher´s NameReported CVE
Rafael Pedrero240
David Utón Amaya (m3n0sd0n4ld)25
Aarón Flecha Menéndez21
Alejandro Amorín Niño17
Jorge Alberto Palma Reyes16
Pablo Arias Rodríguez16
Sergio Román Hurtado16
Guillermo Tuvilla Gómez15
Jacinto Moral Matellán11
Francisco Javier Medina Munuera10
Joel Gámez Molina, @JoelGMSec10
Albert Sánchez Miñano9
Asier Barranco9
David Cámara Galindo9
Antonio José Gálvez Sánchez8
Gabriel Gonzalez García8
Pedro Gabaldón Juliá8
Pedro José Navas Pérez8
Rubén Barberà Pérez8
Gabriel Vía Echezarreta7
Miguel Segovia Gil6
Tin Pham aka "TF1T"6
Alexander Huaman Jaimes (@zanganox)5
HADESS5
J. Daniel Martinez (dan1t0)5
Alejandro Baño Andrés4
Ángel Heredia Pérez4
Carlos Antonini Cepeda4
David Padilla Alvarado4
Diego León Casas4
Francisco Palma Esteo4
Guillermo Garcia Molina4
Héctor de Armas Padrón (@3v4SI0N)4
Juampa Rodríguez4
Luis Martín Liras4
Oscar Atienza4
Pablo Valle Alvear4
Rubén López Herrera4
Andrés Elizalde Galdeano3
anxx3
Enrique Benvenutto Navarro3
Konrad Kowal Karp3
Luis Vázquez Castaño3
Sergio Apellániz3
Adriá Bonilla Martin2
Adrián Campazas Vega2
Alberto Gasulla2
Alberto Miguel Diez2
Ander Martínez Sola2
Carlos Polop Martin2
David Álvarez Robles2
David Matilla Rebollo2
Francisco Díaz-Pache Alonso2
Javier Fernandez Beré2
Jesús Antón2
Jesús Ródenas Huerta, @Marmeus2
Joel Serna Moreno2
Jorge Manuel Lozano Gómez2
José Luis Verdeguer Navarro2
@nag0mez2
Raúl Caro Teixido2
Raúl Fuentes Ferrer2
Sergio Corral Cristo2
Víctor Bello Cuevas2
Victor Fidalgo Villar2
Víctor Fresco Perales (@hacefresko)2
Adrián Marín Villar1
Agustín Picazo (Black Giraffe)1
Alfredo Mariños1
@_Barriuso1
Camilo Andrés Bruna1
Cristhian Pacherres1
Daniel Collado Tomé1
Daniel Martínez Adan (adon90)1
David Jiménez1
David Manuel Herrera Rodríguez1
Edgar Carrillo Egea1
Gerard Fuguet Morales1
Germán Planells García1
Ignacio García Mestre (Br4v3n)1
Ignacio Lis Malagón1
Iker Loidi Auza1
Jakob Pfister1
Jan Adamski (johnny1337.pl)1
Javier Garcia Antón1
Jesús Higueras1
Jesús Olmos Gonzales1
Jordi Forès1
Jorge Gutiérrez Valderrama1
Juan González1
Julián J. Menéndez1
Mauricio Jara1
Milan Duric1
Keval Shah1
Manuel Segovia Gil1
Pablo Alcarria Lozano1
Petar Alexandrov Nikolov1
Raquel Gálvez Farfán1
Raúl Vega Arjona1
Sergio González González1
Tarek Bouali, @iambouali1
6h4ack1
Compartir en Redes Sociales