NORCROSS, GEORGIA – AMI®, a global leader in powering, managing and securing the world’s connected digital infrastructure through its BIOS, BMC and security solutions, is pleased to announce its participation in facilitating the acceptance of TianoCore as a CVE Numbering Authority (CNA) by the Common Vulnerabilities and Exposures (CVE®) Program.
CVE is an international, community-based effort that maintains a community-driven, open data registry of vulnerabilities. The CVE IDs assigned through the registry enable program stakeholders to rapidly discover and correlate vulnerability information used to protect systems against attacks. The CVE Program currently has 140 CNAs in 24 countries, globally across technologies and services.
TianoCore is a community-supported open source implementation of the Unified Extensible Firmware Interface (UEFI), developed and promoted by the UEFI Forum, a non-profit industry standards body responsible for developing, managing and promoting UEFI specifications. TianoCore represents a modern and cross-platform firmware implementation for the UEFI and UEFI Platform Initialization (PI) specifications, which has ultimately evolved into other open source projects under the TianoCore community. AMI is a founding member and promoter of the UEFI Forum, holding a seat on the Board of Directors and contributing to its formation from its inception.
The acceptance of TianoCore as a CNA by the CVE Program means that it will be able to issue CVEs for vulnerabilities affecting TianoCore or EDK-II source. The CVE Program has added TianoCore to its list of CNA participants, available on its website at https://cve.mitre.org/cve/request_id.html#cna_participants. This acceptance will also help to streamline the work of the TianoCore Infosec Group, which documents the community’s findings on known vulnerabilities and security issues at https://github.com/tianocore/tianocore.github.io/wiki/Reporting-Security-Issues.
As part of this announcement, AMI will participate in a coordinating role together with other industry leaders in BIOS and UEFI firmware as well as Intel® Corporation. For over a decade, AMI engineers have donated time and their combined years of firmware development expertise to help with open source vulnerabilities originating from TianoCore or EDK-II. In this role, AMI and the other participating companies are granted the authority to request a CVE on behalf of TianoCore, both for the project or any other OSS project that consumes TianoCore projects or code.
“As firmware security and trust become an increasingly important area of cybersecurity focus, we are grateful to AMI for the role it has played in driving the acceptance of TianoCore as a CVE Numbering Authority with the CVE Program,” said Beverly Alvarez, Lenovo PSIRT Program Manager and member of the CVE Board. “Their leadership, together with all of the leading names in the BIOS/UEFI space, underscores the importance that each of these organizations see in supporting standardized, industry-wide terminology for the naming and classifications of all types of vulnerabilities.”
“AMI is extremely pleased to have played a role in the acceptance of TianoCore as a CVE Numbering Authority by the CVE Program,” said Eric Johnson, Managing Engineer for Software and Security Services at AMI. “Over the years, AMI has strengthened its commitment both to firmware security leadership and to deeper participation in relevant open source software (OSS) projects, and today’s announcement is one of the results of that effort, something of which all AMI contributors can be very proud,” he added.
Stefano Righi, Vice President of Global Software, Security Engineering & Services and AMI’s representative on the UEFI Board of Directors, added that “this achievement is the culmination of over 15 years of contribution by AMI to UEFI, with an ever-increasing focus on the security of firmware implementation based on the UEFI Specification. With the granting of CVE Numbering Authority for TianoCore, in addition to the ability to specify security features AMI can now contribute to the security of the entire firmware development lifecycle – monitoring the ecosystem of released products and identifying mitigations for new vulnerabilities detected by security researchers.”
All trademarks and registered trademarks are the property of their respective owners in the US and other countries.