cl-nz logo
Story image

Gallagher fortifies cybersecurity reporting as NZ's first CVE Numbering Authority

29 Jul 2020

Gallagher has become the first New Zealand organisation to be authorised as a CVE Numbering Authority (CNA), giving the company more scope for assigning and communicating security vulnerabilities in its own product suite.

A Common Vulnerabilities and Exposure (CVE) number is a way of identifying a particular security vulnerability.  CVE notifications enable security vendors and organisations to discover and correlate vulnerability information. 

Now, Gallagher joins 132 organisations from 22 countries as an authorised CNA, alongside major tech firms including Microsoft, GitHub, Facebook, Apple, Google, Dell, HPE, NVIDIA, and many others.

According to Gallagher chief technology officer Steve Bell, the company is dedicated to providing customers with the information they need to be protected against cyber threats, and to keep systems up to date.

“Becoming the first authorised CNA in New Zealand demonstrates our commitment to delivering solutions with the highest levels of security,” he says.

MITRE Corporation CVE board member Chris Levendis says, “Adding Gallagher Group further expands the CVE Program’s reach into New Zealand and is consistent with the Program’s expansion internationally.”

“We applaud Gallagher’s commitment to security and want to warmly welcome them as they join the CVE Program as a CVE Numbering Authority. The CVE Program looks forward to partnering with Gallagher going forward as we collectively maintain our commitment to improving security. Welcome aboard Gallagher!” 

The company’s security portfolio includes access control and perimeter hardware, as well as electronic components, data security and storage, proximity and contact tracing, card printers, and many other products and solutions.

Gallagher’s states that it has an ongoing focus on addressing cybersecurity threats. This focus includes a team dedicated to cybersecurity research, development, and testing, combined with regular external security testing by specialist penetration testers to ensure quality throughout the whole product development cycle.

In addition to Gallagher’s internal research team, customers can also report vulnerabilities directly to the company. 

Gallagher aims to respond to vulnerability reports within 30 days. If a vulnerability is verified, Gallagher will work to mitigate the issue – possibly with the help of the person who submitted the report. Once Gallagher has issued a fix, the company then issues a public notification to partners and customers.

Gallagher notifies partners and customers of vulnerabilities through a security advisory system. This system includes email notifications, as well as website and support site notifications.

These notifications include the CVE identification number, severity, affected components, software versions, mitigations, who reported the vulnerability, whether there are known active exploits, a description of the vulnerabilities, and what maintenance releases are available for different software versions.