Boston, MA — December 20, 2016 — Rapid7, Inc. (NASDAQ: RPD), a leading provider of IT and security analytics solutions, today announced that the Company has been designated as a Common Vulnerability and Exposures (CVE) Numbering Authority (CNA), effective immediately. Rapid7 will now be able to assign CVE numbers to vulnerabilities found in Rapid7’s and any other vendors’ products, whether they are disclosed by Rapid7 or third party researchers. CVEs assigned by Rapid7 will be added to the CVE list, an enumeration of information security vulnerabilities and exposures that provides a singular way of identifying publicly known cybersecurity issues.
The goal of CVE is to make it easier to share data across separate vulnerability tools, repositories, and services with standardized identifiers for given vulnerabilities or exposures. The common identifiers allow users to quickly and accurately access information about a problem across multiple information sources that are CVE-compatible. The MITRE Corporation (MITRE) manages and maintains the CVE List with assistance from the CVE Board. MITRE is a not-for-profit operator of seven federally funded research and development centers, and their mission is to work in the public interest. Their unique role allows them to provide an objective perspective with regard to disclosed vulnerabilities.
“We are honored to become a CNA and look forward to collaborating with MITRE, who have impressed us with their efforts to evolve the CVE program to meet ever-increasing needs,” said Corey Thomas, president and CEO at Rapid7. “Our support of reasonable disclosure practices is driven by our deep-seated commitment to supporting and empowering the community. Our goal is twofold: help improve and mature the security practices of vendors and manufacturers, while educating users on risk, so they can make informed decisions.”
Rapid7 has an established record of coordinated and reasonable disclosure practices, and has been a strong supporter of free and open security research through its open source efforts, including Metasploit Framework. As a provider of security software, services, and research, the Company takes security issues very seriously and recognizes the importance of privacy, security, and community outreach. In 2016 alone, Rapid7 coordinated with more than 25 vendors on vulnerability disclosures discovered by its researchers. These efforts are driven by a belief that security is a communal challenge and will only be meaningfully addressed through active collaboration. As such, the Company is committed to openly facilitating the sharing of security information that helps customers and the broader community learn, grow, and develop new security capabilities.
As a CNA, Rapid7 will assign CVE numbers to describe vulnerabilities identified in software products, once they are acknowledged by the affected vendors, in accordance with the rules and practices set forth by the CVE Board.