Google Cloud to Assign CVEs to Critical Vulnerabilities 

1 month ago 13
News Banner

Looking for an Interim or Fractional CTO to support your business?

Read more

Google Cloud announced on Tuesday that moving forward it will assign CVE identifiers to critical vulnerabilities found in its products, even if they do not require the user to deploy patches or take other action.

Critical Google Cloud flaws that will receive CVEs will have advisories published on the Google Cloud Security Bulletins page. 

A tag named ‘exclusively-hosted-service’ will indicate that customers do not need to take any action for a specific vulnerability. 

The expansion of its CVE program is part of its commitment to transparency, Google Cloud said. 

The cloud giant recently announced a new Vulnerability Reward Program (VRP) with bug bounties of up to $100,000 for security issues found in its products and services. 

“While the Google Cloud VRP has a specific focus on strengthening Google Cloud products and services, and brings together our engineers with external security researchers to further the security posture for all our customers, CVEs enable us to help our customers and security researchers track publicly-known vulnerabilities,” Google Cloud representatives said in a blog post.

Google Cloud joins Microsoft, which has been assigning CVE identifiers and publishing advisories for cloud vulnerabilities that do not require any user interaction since June 2024. 

Amazon Web Services (AWS) has also been issuing CVE identifiers for vulnerabilities affecting its cloud products and services. 

Advertisement. Scroll to continue reading.

Cloud security giant Wiz has been maintaining a database of cloud vulnerabilities since 2022. The database currently stores information on nearly 200 security issues found between 2008 and present day.

The CVE Program recently turned 25. There are currently over 400 CVE Numbering Authorities (CNAs) and more than 240,000 CVE identifiers were assigned as of October 2024. 

Related: CISA Announces CVE Enrichment Project ‘Vulnrichment’

Related: CVE and NVD – A Weak and Fractured Source of Vulnerability Truth

Related: Dependency Confusion Could Have Led to RCE in Google Cloud Platform

Related: Google Cloud Rolling Out Mandatory MFA for All Users

Read Entire Article