Infosec pros point at problem with CVE system, offer alternative

For the last 17 years, the American not-for-profit MITRE Corporation has been editing and maintaining the list of Common Vulnerabilities and Exposures (CVEs).

Researchers who discover vulnerabilities in software usually apply with MITRE to get a CVE number to go along with the bug, so that they are unequivocally identified and, hopefully, addressed by those who need to do so.

But according to a number of researchers, MITRE has lately been doing a lousy job when it comes to assigning these numbers, forcing researchers to do without them or to delay public disclosure of vulnerabilities indefinitely.

Both decisions are less than ideal, because without a CVE number vulnerabilities often don’t get the attention they deserve from government or private sector organizations.

And many of these are well-known researchers, finding vulnerabilities in widely used software, so the question of why MITRE is apparently ignoring their requests for CVE numbers is puzzling.

The problem is getting worse by the day, and the situation has spurred Kurt Seifried, a “Red Hat Product Security Cloud guy” and a CVE Editorial Board member, to create a complementary system for numbering vulnerabilities.

“We need a distributed, scale out method for assigning vulnerability identifiers that is as compatible with the existing CVE system as possible. Not just in terms of format but in terms of process and usage,” he noted in an email sent to the Open Source Security Mailing List on Monday.

“As such I took on the task, creating the DWF system and getting a number of other people involved (Larry Cashdollar, Zachary Wikholm, Josh Bressers, etc.). My goal is to create a simple system for assigning vulnerability identifiers that relies on the community and not a single entity or organization. Additionally I want to reduce the time and effort needed to get identifiers, something best achieved by pushing assigning out to as close to the vulnerability discover/handling as possible.”

The DWF (Distributed Weakness Filing) System uses the same format as CVE for numbering the vulnerabilities. If a researcher already received a CVE identifier, he or she can map it directly to DWF.

Other ways to get a DWF identifier assigned is to become a DWF Numbering Authority (DNA) and assign it yourself, request a DWF from a DNA, or make a PULL request in GitHub to the DWF Database.

More information about the project and which vulnerabilities will be assigned a DWF number can be found here. The project is a few days old, but there is already eight entries in the DWF Database for 2016. Time will tell whether it will have more success.

In the meantime, a lively discussion has been going on the oss-sec mailing list, in which several well-known and respected researchers confirmed their problems with getting a CVE issued for their findings, and have been debating the pros and cons of starting a new standard independently of CVE.

In the discussion it was also revealed that MTRE has been issuing CVEs, but too slowly. Managing editor with the MITRE Corporation Steve Boyle also stopped by and said that the CVE team is holding a series of internal meetings regarding this issue, and that a meeting with the Editorial Board should be next – when they have come up with recommendations and proposals regarding the next steps to take.

Seifried has shared his own thoughts on how the process can be improved.

“As I’ve repeatedly stated the DWF wants to work with CVE/Mitre if possible, forking vulnerability identification will create additional costs (retooling all the systems and process that rely on CVE) so I want to minimize that as much as possible, the goal is to make things better and easier, not to add another standard for the sake of itself,” he noted.

We’ve asked MITRE for a comment on the issue, and we have received the following one:

“CVE has been experiencing an unprecedented demand for vulnerability IDs. We look forward to working with the CVE Editorial Board and the broader vulnerability management community to significantly improve stakeholder communication, and improve and scale CVE operations to reduce ID assignment response times and increase product coverage. Details as they become available will be posted to http://cve.mitre.org/.”