Our CVE Story: Ericsson’s Journey as a CVE Numbering Authority (CNA)
Guest authors Milind R. Kulkarni and Umair Bukhari are both from the Ericsson Product Security Incident Response Team (PSIRT). Milind is Master Security Specialist and Umair is Head of the PSIRT. Ericsson is a CVE Numbering Authority (CNA) partner.
Ericsson, a global leader in telecommunications technology, achieved CNA status in January 2024. Over the past two decades, Ericsson Product Security has diligently been working to enhance product security, benefiting telecom networks worldwide. This milestone marks a significant advancement in Ericsson’s vulnerability management program maturity, reinforcing the security and reliability of our telecom products.
What made us take the decision to become a CNA and what are the benefits in adopting the CVE Program process? Let’s explore.
Previously, Ericsson’s vulnerability management process, overseen by the Ericsson PSIRT Team, primarily targeted vulnerabilities in third-party software integrated into our telecom products. Before achieving CNA status, our process for handling 0-day vulnerabilities in Ericsson’s product code lacked formal definition. We collaborated with external security researchers and customers upon receiving reports, but CVEs were assigned only when requested by the finder. Additionally, each time we needed to assign a CVE Identifier (CVE ID), we had to contact the CVE Program team, which added time to our operational process.
To address these challenges strategically, we enhanced our existing PSIRT processes to better serve our telco ecosystem. As a CNA, we introduced new beneficial procedures, including the adoption of the CVE Program framework within our existing workflows.
As a CNA, Ericsson now has the authority to assign and publish CVE Records for new vulnerability reports in our own source code. This designation grants us access to CVE Services tools and APIs streamlining automation. Additionally, we benefit from a user-friendly Vulnogram web application interface, enabling instant procurement of CVE IDs and seamless submission of CVE Records to the public database 24x7, without the need for separate request tickets.
Being a CNA also enhances our coordination in the vulnerability disclosure process, allowing us to take ownership of messaging and provide reliable communication to customers. While Ericsson already had most of the processes in place, they have now been updated and enriched to align with the CVE Program guidelines. Leveraging our existing workflows, we ensured a smooth adoption of these enhancements. As part of our ongoing process improvement, we’ve clearly defined roles and responsibilities within our cross-functional teams for executing tasks related to CVEs.
We would like to highlight comments by Ericsson’s Chief Product Security Officer and Head of Product Security, Mikko Karikytö, which were first published in Ericsson’s news announcement, regarding CNA accreditation by the CVE Program: “Our authorization as a CVE Numbering Authority (CNA) is a proof point in our ongoing commitment to cybersecurity excellence. We are honored to join the CVE community and contribute to addressing cybersecurity vulnerabilities. This is in line with our efforts to provide resilient high-performing secure digital infrastructure and meet demanding requirements.”
As part of the CNA requirement and preparation process, Ericsson PSIRT recently published an updated product vulnerability disclosure policy. This policy outlines instructions for external users to report vulnerability issues, defines Ericsson’s scope for assigning CVEs, outlines the remediation and communication process, and establishes a researcher acknowledgment policy. Additionally, we have created a dedicated security bulletin webpage where CVEs assigned by Ericsson will be posted. For more details, please visit the Ericsson PSIRT webpage.
Becoming a CNA reflects our strong commitment to product security throughout its lifecycle. By adhering to industry best practices, we can provide structured and reliable information to our customers. As we join the CNA program, we eagerly anticipate interacting with the global CNA community to learn and exchange industry best practices in vulnerability management. This opportunity also allows us to demonstrate leadership within the telco ecosystem and the security community.