Wordfence has been authorized by the Common Vulnerabilities and Exposures (CVE®) Program as a CNA (CVE Numbering Authority), which allows the company to directly assign CVE numbers for new vulnerabilities in WordPress core, plugins, and themes. The authority is granted by Mitre Corporation, a federally-funded US non-profit that manages research and development centers. Wordfence anticipates that the ability to create CVE assignments will expedite its security research.
“As the Wordfence Threat Intelligence team continues to produce groundbreaking WordPress security research, Wordfence can more efficiently assign CVE IDs prior to publicly disclosing any vulnerabilities that our team discovers,” Wordfence threat analyst Chloe Chamberland said. “This means that a CVE ID will be immediately assigned with every vulnerability we discover rather than waiting for an assignment from an external CNA.”
Not having to wait on a CVE ID is a major advantage for the company, especially when working with enterprise installations where WordPress is used in combination with other software. It also helps security personnel prioritize and act based on the potential severity of threats.
“Our efforts to become a CNA had these individuals, institutions, and enterprise personnel in mind, as well as WordPress’ reputation as a whole,” Chamberland said. “Now, those tasked with securing WordPress will be able to quickly reference the CVE ID from our blog posts when reporting vulnerabilities throughout their organization and handling security update prioritization. We also hope that by being a CNA, Wordfence will receive even more direct reports from security researchers.”
Becoming a CNA simplifies a security company’s process of submitting vulnerabilities. Wordfence is the second company to become one, operating within the scope of WordPress and related vulnerabilities. In January 2021, WPScan was granted CVE Numbering Authority status. Prior to becoming a CNA, assigning CVEs for every vulnerability in WPScan’s database would have been too time consuming.
“Becoming a CNA has allowed us to help security researchers to verify and triage their vulnerabilities,” WPScan founder and CEO Ryan Dewhurst said. “This has helped grow our WordPress vulnerability database and keep WordPress users secure. But it is just one source of vulnerabilities among many others that we use.”
The process for Wordfence to become a CNA was surprisingly simple. Chamberland said the company filled out a registration form with a few questions.
“Once we were approved and agreed upon a scope, you are required to watch a series of onboarding videos that explain the processes required of a CNA,” she said. “After that, we had an onboarding meeting to ensure our team was fully trained on CVE Program protocols. It took Wordfence about a month to get authorized as a CNA once they received our registration form.”
Historically, the WordPress ecosystem has been a magnet for those looking to exploit vulnerabilities, due to its large footprint on the web. That trend is likely to continue. Chamberland believes there is room for multiple CNA’s in the WordPress space.
“We’ve had a great working relationship with WPScan over the years, and we expect that this relationship will continue as we have a similar mission in helping secure the WordPress community,” she said.
“As WordPress grows, it becomes a larger and more attractive target for malicious actors. The more hands we have on deck, and the better we collaborate and adhere to industry standard security practices, the safer WordPress will be.”
Attracting more researchers to report vulnerabilities is a major benefit to security companies that gain CNA status, since they are essentially in the business of selling vulnerability protection data. They give their paid customers early access to patches that are not yet available to the general public. Becoming a CNA has the potential to increase the value their businesses can provide.
“With this growth in WordPress, we expect to see more security researchers in the WordPress space,” Chamberland said. “As such, we are bound to see an increase in CVE ID requests. Having multiple CNA’s that can assign CVE IDs to WordPress core, plugins and themes make sense to improve the speed in which security researchers can obtain CVE IDs, and provides researchers with multiple sources for CVE IDs.”