Wordfence is now a CVE Numbering Authority (CNA)
Today, we are excited to announce that Wordfence is authorized by the Common Vulnerabilities and Exposures (CVE®) Program as a CNA, or CVE Numbering Authority. As a CNA, Wordfence can now assign CVE IDs for new vulnerabilities in WordPress Core, WordPress Plugins and WordPress Themes.
WordPress powers over 40% of the World Wide Web in 2021. By becoming a CNA, Wordfence expands our ability to elevate and accelerate WordPress security research. This furthers our goal of helping to protect the community of WordPress site owners and developers, and the millions of website users that access WordPress every day.
What is a CNA?
The acronym CNA stands for CVE Numbering Authority. A CNA is an organization that has the authority to assign CVE IDs to vulnerabilities for a defined scope. As a CNA, Wordfence can assign CVE IDs to WordPress Plugins, Themes, and Core Vulnerabilities.
Assigned CVE IDs are listed on our site under Vulnerability Advisories.
What is a CVE?
CVE is an international, community-based effort and relies on the community to discover vulnerabilities. The vulnerabilities are discovered then assigned and published to the CVE List. The mission of the Common Vulnerabilities and Exposures (CVE®) Program is to identify, define, and catalog publicly disclosed cybersecurity vulnerabilities. There is one CVE Record for each vulnerability in the catalog.
What does this mean for Wordfence customers?
As the Wordfence Threat Intelligence team continues to produce groundbreaking WordPress security research, Wordfence can more efficiently assign CVE IDs prior to publicly disclosing any vulnerabilities that our team discovers. This means that a CVE ID will be immediately assigned with every vulnerability we discover rather than waiting for an assignment from an external CNA.
To report a vulnerability, even if there is uncertainty about the responsible disclosure process, proof of concept production, or mitigation review procedures, the Wordfence Threat Intelligence team is available to assist. Our highly credentialed team has expertise and experience in proper security disclosure and can assist in ensuring that adequate remediation of vulnerabilities, no matter the severity, are applied and verified. As the original researcher, you receive the CVE ID and public credit for your discovery. You will also receive thanks from the users and community that you have protected through your responsible disclosure. Please reach out to us and we will be happy to assist.
How to report vulnerabilities to Wordfence for CVE assignment and publication?
To report a vulnerability to Wordfence for a WordPress plugin, WordPress theme, or WordPress core, please reach out to firstname.lastname@example.org with the vulnerability information. Please include the following details:
- A concise description of the vulnerability.
- A proof of concept – that is, how the vulnerability could potentially be exploited.
- What software component in our scope is affected – namely, which plugin or theme is affected, or which part of WordPress core.
- The version number(s) affected.
- The name(s) of individuals you would like credited for the discovery – or indicate if you would like to remain anonymous.
- Any other additional information as appropriate.
The Wordfence Threat Intelligence team will review your findings and report back within 1-3 business days with a CVE ID assignment, or a request for additional information.
Community engagement and outreach at Wordfence has helped accelerate our efforts to secure the global WordPress community. Becoming a CNA has helped further this goal. Our team looks forward to expediting our own research and helping to encourage and enable new researchers to join the growing community of people who discover and responsibly disclose WordPress vulnerabilities. Together we can work towards a safer Web for all.