Düsseldorf/Germany, November 1, 2022Cybersecurity specialist ONEKEY has been authorized by the CVE Program as a CVE Numbering Authority (CNA). With its vulnerability research focus on industrial control system (ICS) products and connected devices, CISA, the US Cybersecurity and Infrastructure Security Agency, will act as ONEKEY’s Top-Level Root CNA.

With the recent enhancement of ONEKEY’s capabilities to automatically detect zero-day vulnerabilities in ICS products and other connected devices, acting as a CNA and assisting affected vendors during the coordinated disclosure process helps ONEKEY to better scale its efforts to secure the Internet of Things. 

“As ONEKEY invests in top cybersecurity, we help pave the way for vulnerability identification and disclosure. That’s why we are proud to contribute as a CVE Numbering Authority to the global effort that enables cybersecurity professionals to quickly identify and remediate vulnerabilities,” said Jan C. Wendenburg, CEO of ONEKEY. 

CVE is an international, community-based program and relies on the community to discover vulnerabilities. The discovered vulnerabilities are assigned and published in the CVE list. CNAs are organizations responsible for regularly assigning CVE IDs to vulnerabilities and for creating and publishing information about the vulnerability in the associated CVE Record. Each CNA has a specific scope of responsibility for vulnerability identification and publication. ONEKEY will cover its own produced products as well as projects hosted at https://github.com/onekey-sec/ and any vulnerabilities discovered by ONEKEY that are not in another CNA’s scope.  

“Our Security Advisories almost always mention at least one CVE ID. These CVEs help professionals address these vulnerabilities to increase the security of their infrastructure. 
Ideally, a CVE ID is assigned before a Security Advisory is published,” adds Florian Lukavsky, CTO of ONEKEY. It is common for manufacturers to keep security vulnerabilities secret until a solution has been developed and tested. This reduces the opportunities for attackers to exploit unpatched vulnerabilities. 

With the recent addition of automated detection capabilities of zero-day vulnerabilities, ONEKEY can now not only increase the detection rate of critical vulnerabilities in ICS and other connected devices, but also assign CVE IDs to these vulnerabilities and enable program stakeholders to rapidly discover and correlate vulnerability information to protect systems against attacks. 


ONEKEY publishes new security advisories regularly – have a look.