Starting on September 28, 2021, the Swiss National Cybersecurity Centre (NCSC) is part of the global network for the management of IT system vulnerabilities. This means that the NCSC, as a specialist body, is now permitted to assign a unique identification number to reported vulnerabilities in accordance with the international reference system. The NCSC has been authorised to do so by the competent independent US organisation, MITRE.
Weaknesses and vulnerabilities in IT systems and applications are discovered and reported worldwide every day. In order to avoid the exploitation of these vulnerabilities insofar as possible, it is extremely important that they be remedied quickly and thus that the operators and manufacturers be notified. A unique CVE (Common Vulnerability and Exposure) identification number is therefore assigned to each vulnerability. The mission of the CVE Program by MITRE is to identify, define, and catalog publicly disclosed cybersecurity vulnerabilities.
The NCSC was recently recognised by the CVE Programme as a CVE Numbering Authority. In this role, the NCSC is responsible for preparing and publishing information about the vulnerabilities reported to it and the associated CVE records. This means that the NCSC is not only the official contact point for reporting security vulnerabilities in Switzerland, but also maintains their CVE IDs for international exchange.
The NCSC is currently expanding its vulnerability management and, since March 2021, has been receiving reports of vulnerabilities in IT systems and applications via a form on its website in order to notify them to those responsible as an intermediary. Recently, in the context of vulnerability management, the NCSC also closely monitored the test phase of the COVID-19 certificate infrastructure and the first Bug Bounty pilot programme in the Swiss Federal Administration.