Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cloud Security

Google Cloud to Assign CVEs to Critical Vulnerabilities 

Google Cloud will be assigning CVE identifiers to serious cloud vulnerabilities, even ones that don’t require patching.

Google Cloud CVE

Google Cloud announced on Tuesday that moving forward it will assign CVE identifiers to critical vulnerabilities found in its products, even if they do not require the user to deploy patches or take other action.

Critical Google Cloud flaws that will receive CVEs will have advisories published on the Google Cloud Security Bulletins page. 

A tag named ‘exclusively-hosted-service’ will indicate that customers do not need to take any action for a specific vulnerability. 

The expansion of its CVE program is part of its commitment to transparency, Google Cloud said. 

The cloud giant recently announced a new Vulnerability Reward Program (VRP) with bug bounties of up to $100,000 for security issues found in its products and services. 

“While the Google Cloud VRP has a specific focus on strengthening Google Cloud products and services, and brings together our engineers with external security researchers to further the security posture for all our customers, CVEs enable us to help our customers and security researchers track publicly-known vulnerabilities,” Google Cloud representatives said in a blog post.

Google Cloud joins Microsoft, which has been assigning CVE identifiers and publishing advisories for cloud vulnerabilities that do not require any user interaction since June 2024. 

Amazon Web Services (AWS) has also been issuing CVE identifiers for vulnerabilities affecting its cloud products and services. 

Advertisement. Scroll to continue reading.

Cloud security giant Wiz has been maintaining a database of cloud vulnerabilities since 2022. The database currently stores information on nearly 200 security issues found between 2008 and present day.

The CVE Program recently turned 25. There are currently over 400 CVE Numbering Authorities (CNAs) and more than 240,000 CVE identifiers were assigned as of October 2024. 

Related: CISA Announces CVE Enrichment Project ‘Vulnrichment’

Related: CVE and NVD – A Weak and Fractured Source of Vulnerability Truth

Related: Dependency Confusion Could Have Led to RCE in Google Cloud Platform

Related: Google Cloud Rolling Out Mandatory MFA for All Users

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Don’t miss this Live Attack demonstration to learn how hackers operate and gain the knowledge to strengthen your defenses.

Register

Join us as we share best practices for uncovering risks and determining next steps when vetting external resources, implementing solutions, and procuring post-installation support.

Register

People on the Move

Mike Byron has been named Chief Financial Officer (CFO) at Exabeam.

Ex-GitHub chief technology officer Mike Hanley has joined GM as CISO.

Network security and compliance assurance firm Titania has appointed Victoria Dimmick as CEO.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.