Hey gang, it’s your internet pal Tod Beardsley, and I wanted to take just a sec to let y’all know that runZero is now officially a CVE Numbering Authority!
I’m genuinely thrilled to help stand up this program at runZero, as I’m a well-known CVE superfan. I’m on the CVE Board, chair a CVE working group, run the CNA Slack workspace, and I hold some pretty deeply held beliefs on the value of precise, well-referenced vulnerability records. Becoming a CNA gives us the opportunity to contribute directly to that body of public knowledge, not just as producers of high-quality security research, but as stewards of the data defenders rely on every day to make confident patching and risk-management decisions.
At runZero, we spend a great deal of time neck-deep in the parts of the network most organizations struggle to see clearly. OT gear running on fragile stacks, IoT devices chatting on proprietary protocols, and all those oddball embedded systems that never show up on traditional scanners. These systems break in ways that are often undocumented, subtle, or downright weird, and the industry has historically struggled to present those issues in a structured, reproducible way. Now that we can assign and publish CVE IDs ourselves, we can bring much more transparency and technical rigor to the kinds of bugs we routinely encounter in this space. As protocol nerds, this lets us do the work the way we think it ought to be done: carefully, thoroughly, and with enough context that others can actually learn from it.
Of course, this also applies to our own products. Nobody ships perfect software, and when we (rarely!) find an issue in our own code we want to document it publicly, accurately, and without delay. CNA status allows us to streamline that entire process. Instead of relying on external bottlenecks or waiting for someone else’s queue to clear, we can publish timely, well-structured CVEs that reflect the exact details defenders need. Coordinated disclosure should make the world safer, not slower, and this designation helps us close that gap.
What excites me most is how this fits into the larger ecosystem of coordinated vulnerability disclosure. OT and IoT vendors often have limited experience engaging with coordinated vulnerability disclosure (CVD) norms, and many operate without a clear path for publishing advisories or requesting CVE IDs. By taking on CNA responsibilities, we can meet those vendors where they are, help them navigate responsible disclosure, and elevate the overall quality of vulnerability reporting in domains that desperately need more daylight. The result benefits everyone: researchers, suppliers, operators, and crucially, defenders tasked with keeping these environments running safely. Patching OT gear is often slow and painful, so anything we can do to help defenders make prioritization calls for fixes or other compensating controls is crazy valuable across critical infrastructure.
This milestone is a natural extension of the work we already do in exposure identification, deep fingerprinting, and protocol analysis across IT, OT, IoT, mobile, and cloud environments. Now we can channel that expertise into a sustained contribution to the CVE Program, strengthening the shared foundation the entire security community depends on.
So, keep an eye on this blog for our next coordinated disclosure, and you can review the last few bugs we’ve worked on so far this year over at our revamped security advisories page.
