Cloudflare has joined CISA’s “Secure by Design” pledge to strengthen transparency and best practices in vulnerability disclosure, reinforcing its commitment to securing digital ecosystems. The company actively issues and manages CVEs for its products while promoting open collaboration and responsible disclosure to protect customers and partners. #Cloudflare #CISA
Keypoints
- Cloudflare joined the CISA “Secure by Design” pledge in May 2024 to promote cybersecurity transparency and resilience.
- The pledge emphasizes transparency in vulnerability reporting as a cornerstone for building trust and enhancing security.
- Cloudflare acts as a CVE Numbering Authority (CNA), allowing it to assign and manage CVEs for security issues in its products and open source software.
- The company follows a structured CVE issuance and disclosure process, including triaging based on exploitability and impact, and a standard 90-day disclosure timeline.
- Notable vulnerabilities disclosed by Cloudflare include memory exhaustion attacks in the quiche library, improper authentication in the Cloudflare WordPress plugin, and privilege management flaws in the WARP client.
- Cloudflare collaborates with external security researchers through its Bug Bounty program and encourages responsible public disclosure after remediation.
- The company aims to complete all CISA Secure by Design pledge goals by May 2025 while continuously improving its security posture and tooling.
Read more: https://blog.cloudflare.com/vulnerability-transparency-strengthening-security-through-responsible/