Password management company, Keeper Security, has recently announced that it has been authorized by the Common Vulnerabilities and Exposures (CVE) Program as a CVE Numbering Authority (CNA). This new designation makes Keeper the first password management company to join the global effort to identify, define, and catalog publicly-disclosed cybersecurity vulnerabilities.
As a CNA, Keeper now has the ability to directly assign CVE IDs and publish CVE records for vulnerabilities that are discovered in its own source code, as well as vulnerabilities in third-party software discovered by the Keeper team that are not within another CNA’s scope. This means that Keeper can publish this information via the CVE List, which is a widely-used resource in the IT and cybersecurity industry for coordinating efforts to address and prioritize vulnerabilities.
Being granted the status of CNA partner is an important milestone for Keeper, as it highlights their commitment to responsible disclosure of potential security issues. Craig Lurey, the CTO and Co-Founder of Keeper Security, stated that their mission is to provide the world’s most secure and innovative cybersecurity software, and they believe that programs like CVE are vital for ensuring the security of digital products and services that people rely on.
The CVE Program is sponsored by the U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA). CISA utilizes the CVE List to compile its Known Exploited Vulnerability Catalogue, which organizations use to prioritize the remediation of listed vulnerabilities. This helps reduce the likelihood of compromise by known threat actors. Additionally, the CVE List feeds into the U.S. National Vulnerability Database (NVD) maintained by the National Institute of Standards and Technology (NIST), which serves as the government repository of standards-based vulnerability management data.
In order to maintain its strong security standards, Keeper conducts quarterly application penetration testing on all of its products and systems. These tests are performed by third-party penetration testers, including renowned companies like NCC Group and Cybertest. The penetration tests include red-team style testing of both internal and externally-exposed systems, allowing Keeper to have a comprehensive understanding of its security vulnerabilities and strengths.
Additionally, Keeper has partnered with Bugcrowd to manage its bug bounty and Vulnerability Disclosure Program (VDP). This program rewards ethical hackers for successfully discovering and reporting vulnerabilities, leveraging the expertise of the hacker community to enhance Keeper’s security standards.
By becoming a CVE Numbering Authority, Keeper Security has demonstrated its commitment to improving cybersecurity practices and collaborating with the cybersecurity community to address vulnerabilities. With its new authority, Keeper will further contribute to the global efforts in securing digital products and services. The company aims to continue offering the most secure and innovative password management solutions to its customers.