Qt Group has been authorized by the Common Vulnerabilities and Exposures (CVE®) Program as a CVE Numbering Authority (CNA), covering all Qt products. It is a significant milestone on Qt’s cybersecurity strategy and aligns with our commitment to robust vulnerability management processes and practices.
What Are CNAs and the CVE Program?
The CVE Program is an international, community-based effort with a mission to identify, define, and catalog publicly disclosed cybersecurity vulnerabilities. It enables referring to a vulnerability in an identified manner, resulting in significant time and cost savings.
The CNAs, such as Qt, are authorized organizations around the world. They are responsible for assigning unique IDs for discovered cybersecurity issues, and for creating and publishing information about them to the CVE List as CVE Records. This also ensures consistency among the communication about the discovered vulnerabilities.
The Importance of the CVE Program
The CVE Records are used by information technology and cybersecurity professionals to ensure they are discussing the same issue, and to coordinate their efforts to prioritize and address the vulnerabilities. The records enable program stakeholders to rapidly discover and correlate vulnerability information used to protect systems against attacks.
What Does the CNA Authorization Mean to Qt?
Partnering up with the CVE Program as a CNA is a significant milestone on Qt’s cybersecurity strategy. It supports the earlier ISO 27001:2022 certification, introduction of the Early Warning List, and the SBOM, as well as the extension of the long-term support period of our LTS releases. Further, it aligns with our commitment to comply with cybersecurity laws and regulations, including the recent EU Cyber Resilience Act (CRA).
“Becoming a CNA is a natural step for Qt along with the other efforts we have done so far and continue to do going forward. We are dedicated to efficient and transparent handling of security issues in our products. Becoming a CNA will make it easier for us to release high-quality, authoritative CVE records that our customers and community can rely upon,” says Kai Köhne, Director of R&D at Qt.
Qt continues to invest further on strengthening the cybersecurity of our products and we look forward to collaborating with the other CNAs and experts.
Got a security issue to report for a Qt product? Please find the guidelines at https://doc.qt.io/qt-6/security.html
