Sunnyvale, Calif., October 4, 2021 — JFrog Ltd. (NASDAQ: FROG), the Liquid Software company and creators of the JFrog DevOps Platform, today announced it has been designated by the CVE Program as a CVE Numbering Authority (CNA). With this certification, JFrog joins an elite group of public and private sector organizations authorized to assign CVE identification numbers to newly discovered security vulnerabilities and publish related details in associated CVE Records for public consumption. This designation allows JFrog to collaborate with the global security community to accelerate threat detection, while providing its customers with the latest vulnerability information and differentiated remediation data via JFrog Xray.
“Becoming a CNA will not only allow us to help security researchers verify and triage their vulnerabilities but also help keep companies’ binaries more secure by collaborating on potential threats with the wider security community,” said Moran Ashkenazi, CISO and VP of Security Engineering, JFrog. “The number of security risks in software and connected devices continues to grow. As a CNA we’re empowered to work with the community to accelerate threat detection and share information on new vulnerabilities fast—before they compromise businesses.”
Cybersecurity and IT professionals worldwide use CVE records to identify, prioritize, and coordinate their efforts for addressing critical software vulnerabilities. CVE IDs are assigned by CNAs like JFrog on a voluntary basis. With this certification, JFrog becomes one of the only DevSecOps leaders to join approximately 180 other CNA authorized commercial entities such as Linux, Red Hat, Google, Microsoft, and more as trusted security community contributors.
“As a CNA, we can more effectively and efficiently disseminate the results of our unique research to our customers and the software community in general—for both newly discovered vulnerabilities and existing CVE records that may be inaccurate or incomplete,” said Asaf Karas, JFrog Security CTO “With this achievement, JFrog reinforces its commitment to being an active participant in the security community and providing our customers with scalable, secure, development to edge DevSecOps solutions.”
For more information on JFrog’s CNA certification, how it will help protect businesses and the nation’s critical infrastructure, plus the process of security vulnerability disclosures read this blog or visit https://jfrog.com/trust/.
JFrog is on a mission to be the company powering all of the world’s software updates, driven by a “Liquid Software” vision to allow the seamless, secure flow of binaries from developers to the edge. The company’s end-to-end DevOps platform – the JFrog Platform – provides the tools and visibility required by modern organizations to solve today’s challenges across critical pieces of the DevOps cycle. JFrog’s hybrid, universal, multi-cloud DevOps platform is available as both self-managed and SaaS services on AWS, Microsoft Azure, and Google Cloud. JFrog is trusted by millions of users and thousands of customers, including a majority of the Fortune 100 companies that depend on JFrog solutions to manage their mission-critical software delivery pipelines. Learn more at jfrog.com.
About the CVE Program
The mission of the Common Vulnerabilities and Exposures (CVE®) Program is to identify, define, and catalog publicly disclosed cybersecurity vulnerabilities. There is one CVE Record for each vulnerability in the catalog. The vulnerabilities are discovered then assigned and published by organizations from around the world that have partnered with the CVE Program. Partners publish CVE Records to communicate consistent descriptions of vulnerabilities. Information technology and cybersecurity professionals use CVE Records to ensure they are discussing the same issue, and to coordinate their efforts to prioritize and address the vulnerabilities. The CVE list of vulnerabilities, which feeds the U.S. National Vulnerability Database (VulnDB), is built by CVE Numbering Authorities (CNAs). The CVE program is sponsored by the U.S. Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA).
The CVE Program relies on the community to discover vulnerabilities. The vulnerabilities are discovered then assigned and published by organizations from around the world that have partnered with the CVE Program. The CVE Board, which drives the direction of the CVE Program, consists of industry, academic, and government representatives from around the world. CVE Working Groups develop the program’s policies (approved by the CVE Board) and are open to the community.
About CVE Numbering Authorities
CVE Numbering Authorities (CNAs) are organizations from around the world that are authorized to assign CVE IDs to vulnerabilities affecting products within their distinct, agreed-upon scope, for inclusion in first-time public announcements of new vulnerabilities. These CVE IDs are provided to researchers, vulnerability disclosures, and information technology vendors. Participation in this program is voluntary, and the benefits of participation include the ability to publicly disclose a vulnerability with an already assigned CVE ID, the ability to control the disclosure of vulnerability information without pre-publishing, and notification of vulnerabilities in products within a CNA’s scope by researchers who request a CVE ID from them. To review the products covered by each CNA, visit the Request a CVE ID page.
The JFrog name, logo mark and all JFrog product names are registered trademarks or trademarks of JFrog Ltd.
Other company names and product / service names mentioned in this press release are registered trademarks or trademarks of each company.
Media Contact: firstname.lastname@example.org
Investor Contact: JoAnn Horne, email@example.com