This page partially uses JavaScript. This page may not operate normally when these functions are not supported by your browser or the setting is disabled.

Toshiba Joined CVE Program

June 16, 2021

TOKYO—Toshiba Corporation (TOKYO: 6502) is authorized by the Common Vulnerabilities and Exposures (CVE®) Program as a CVE Numbering Authority (CNA)^*1, to assign CVE Identifiers (CVE IDs) to software vulnerabilities within the company’s scope. This eliminates the need for　a third-party to assign a CVE ID, and will allow Toshiba to respond more quickly to vulnerabilities.

CVE is an international, community-based effort and relies on the community to discover vulnerabilities. The vulnerabilities are discovered then assigned and published to the CVE List. The CVE Program’s mission is to identify, define, and catalog publicly disclosed cybersecurity vulnerabilities.

Toshiba joined CVE Program through JPCERT Coordination Center*², the Root CNA in Japan.

Toshiba established a Product Security Incident Response Team (PSIRT) in 2016, responsible for strengthening the security of products and services, and reducing cyber risk. The company took its next step in October 2017, when it responded to a growing sense of crisis and concern regarding cyberattacks by establishing the Toshiba Cyber Security Center, integrating PSIRT and its Computer Security Incident Response Team (CSIRT). Since then, the post of Toshiba Group Chief Information Security Officer (CISO) has been established, tasked with overseeing and promoting strengthened security governance, and the entire Toshiba Group is working to advance and strengthen cybersecurity.

As an infrastructure services company that supports people in their daily lives, Toshiba is acutely aware of the need to disclose information on any vulnerabilities related to its products and services. As a CNA, the company will assign CVE IDs to any vulnerabilities found in the Group’s products or services and publish the information, ensuring that customers can use them safely.

Find out more about Toshiba’s cybersecurity on the following websites:

Toshiba Cyber Security
https://www.global.toshiba/ww/cybersecurity/corporate.html>

Toshiba PSIRT
https://www.global.toshiba/ww/cybersecurity/corporate/psirt.html

An organization responsible for the regular assignment of CVE IDs to vulnerabilities, and for creating and publishing information about the vulnerability in the associated CVE Record. Each CNA has a specific scope of responsibility for vulnerability identification and publishing.
https://cve.mitre.org/about/terminology#cna
JPCERT Coordination Center (JPCERT/CC) is the first CSIRT (Computer Security Incident Response Team) established in Japan. The organization coordinates with network service providers, security vendors, government agencies, as well as the industry associations. As such, it acts as a "CSIRT of CSIRTs" in the Japanese community.
https://www.jpcert.or.jp/english