CERT-In authorised to report vulnerabilities impacting products designed and manufactured in India

The Indian Computer Emergency Response Team (CERT-In) has been authorised by the international CVE programme as an authority to recognise potential vulnerabilities that impact products designed, developed and manufactured in India. 

The CVE programme handles the database of common vulnerabilities and exposures, a publicly disclosed database containing information security issues.  

The CVE identifies, defines and catalogues publicly disclosed cybersecurity vulnerabilities. IT and security personnel utilise this information to ensure that they discuss the same issue and to coordinate efforts.   

CVE Partners publish certain CVE Records to let the ecosystem keep abreast of vulnerabilities. 

The CVE programme is a part of the MITRE Corporation which provides engineering and technical guidance to the US government. They are known as being a technical advocate for intelligence agencies as well as the US military. 

Each of these security issues possess a unique number, which can only be provided by authorized entities. For example, for a vulnerability in the Safari browser due to spyware Pegasus, a recognised number was CVE-2016-4657, indicating a memory corruption in the Safari Browser toolkit.  

CERT-In has now been recognised as a CVE Numbering Authority (CNA) for these security incidents by CVE.   

CERT-In is a government designated organisation that serves as the national agency to undertake collection, dissemination and analysis of critical information on cyber incidents.   

The company is also in charge of forecasting and alerting on cyber security incidents, along with required emergency measures for these incidents. 

The CVE programme has already been undertaking disclosure and coordination for vulnerabilities reported to CERT-In. The government claimed that being certified as a numbering authority would ‘nurture responsible vulnerability research in the country’.