New CNA status enables faster response, enhanced transparency, and streamlined collaboration across the HDF5 ecosystem; milestone advances the NSF Safe‑OSE HDF5 SHINES initiative
CHAMPAIGN, Ill. — The HDF Group today announced that it has been designated as a CVE Numbering Authority (CNA), marking a major step forward in how vulnerabilities affecting HDF5 are identified, coordinated, and communicated. As a CNA, an organization is authorized within its scope to assign CVE IDs and publish CVE Records, giving maintainers a more direct role in vulnerability disclosure and record publication.
HDF5 is foundational data infrastructure used across science, research, industry, healthcare, finance, and national security. As the nonprofit developer and maintainer of HDF5, The HDF Group is uniquely positioned to manage vulnerability disclosure closer to the codebase, the maintainers, and the global community that depends on the technology every day.
Taking Control of the HDF5 Vulnerability Lifecycle
For The HDF Group, CNA status means taking direct control of the HDF5 vulnerability lifecycle — from coordinated intake and CVE assignment to clear public records and downstream communication. In practice, that should translate into three immediate benefits for the HDF5 community: faster response, because CVE IDs and records can be handled closer to the maintainers; enhanced transparency, because records can be published with HDF5-specific context, impact, and remediation detail; and streamlined collaboration, because researchers and ecosystem partners have a clearer path for coordinated disclosure. These are core advantages that open-source projects gain when they move from relying on third parties to managing CVE IDs and records within their own scope.
“Becoming a CNA is an important milestone for The HDF Group and for the HDF5 community,” said Dr. Gerd Heber, Executive Director of The HDF Group and principal investigator of the project behind this work. “It allows us to respond faster, communicate more clearly, and work more directly with researchers, users, and downstream maintainers. Most importantly, it strengthens trust in HDF5 as critical open-source infrastructure.”
A Direct Outcome of HDF5 SHINES
This milestone is a direct outcome of HDF5 SHINES, the short title for The HDF Group’s NSF Safe‑OSE project, “NSF‑Safe‑OSE: Strengthening HDF5 for Science, Industry, and National Security Applications” (Award #2534078). Through HDF5 SHINES, The HDF Group is building the processes, tools, and community structures needed to strengthen the safety, security, and privacy of the HDF5 ecosystem. The project’s roadmap includes security reviews, technical mitigations, public resources, community updates, and ongoing work to help ensure HDF5 remains a trusted component of the software supply chain. NSF describes Safe‑OSE as an effort to strengthen open-source ecosystems’ capacity to manage risks, attacks, breaches, and responses.
Commitment to the Global Security Community
The HDF Group views CNA status as more than an operational improvement. It is a public commitment to the global security community. Through HDF5 SHINES, The HDF Group is already expanding channels for collaboration through mailing lists, webinars, forum updates, and public project communications. CNA status adds an important missing capability: the ability to pair that open collaboration with direct, authoritative CVE assignment and publication for HDF5-related vulnerabilities within scope.
By bringing CVE coordination closer to the HDF5 maintainers, The HDF Group aims to make vulnerability handling more direct, more transparent, and more accountable for everyone who relies on HDF5 — from security researchers and package maintainers to application developers, laboratories, companies, and public institutions worldwide.
About The HDF Group
The HDF Group is a nonprofit organization advancing open-source data management technologies and supporting long-term access to data for a diverse global user community. It is the developer of HDF5, including the HDF5 software library, data format, and scalable data services used across multiple industries and throughout the scientific and research community.
Media Contact
Lori Cooper
Communications Lead, NSF Safe‑OSE Project
The HDF Group
Email
(217) 531-6100
This material is based upon work supported by the U.S. National Science Foundation under Federal Award No. 2534078. Any opinions, findings, and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the National Science Foundation