Joomla becomes CVE Numbering Authority: what does this mean?
You may have read about it in the official announcement: Joomla has been authorized as a CVE Numbering Authority. But what is this, you might wonder, why is it such a big deal, and what does it mean to the average Joomla user?
CVE means Common Vulnerabilities and Exposures. It’s a huge international, community-driven open database containing information about vulnerabilities in computer systems and networks. Each entry in the database has its own unique ID.
Every new vulnerability that is reported, is checked before it becomes publicly available. It gets a “reserved” status in the database until it has been investigated. So when a vulnerability in Joomla is found, it gets reported, receives an ID, is marked as reserved, and Joomla can decide to fix it and/or provide public announcements about it.
Who assigns these IDs?
Worldwide, until recently, there were 145 organisations (in 25 countries) who were authorized to assign these IDs to vulnerabilities and thus provide them to researchers, vulnerability disclosers and information technology vendors, and eventually make them visible to the public. These organisations are called CVE Numbering Authorities (CNA’s).
As you probably guessed by now, since mid November 2020, there are 146 CNA’s: Joomla has been authorized as well. This means we can assign these numbers ourselves, choose to publicly disclose a vulnerability with an already assigned CVE ID and, basically, control the disclosure of vulnerability information.
Why is that important?
In the past, false security issues have been registered with the CVE by people or organisations not related to Joomla, this was done for instance by re-registering vulnerabilities that were fixed long ago. In several cases this resulted in inaccurate blog posts from organisations or individuals, even from authorities on security issues, claiming that Joomla is insecure, which, as you all know, is not true. Joomla is one of the safest content management systems available.
From now on, only Joomla itself (the Joomla Security Strike Team) is allowed to register vulnerability issues and assign a CVE ID for issues related to Joomla. And the JSST are the only ones authorized to create a new number for a new security issue we want to publish. This means our awesome JSST can work more closely with the international security community to make Joomla even more secure. And not just Joomla: extensions as well!
And what does this mean for me?
As a Joomla user, you are used to working with a stable, very secure and super safe CMS that enables you to create beautiful websites and powerful online applications. You probably already knew that Joomla is the best choice when you’re looking for a search engine and mobile friendly, multilingual, flexible and extensible open source CMS.
The big news is: that won’t change at all... except of course that “safe” just got safer.