MITRE offers temporary solution to the CVE assignment problem

MITRE’s short-term solution to the problem of slow CVE assignment is to set up an experimental system for issuing federated CVE IDs using a new format.

“(…) the researcher and discloser communities have identified a need for rapid, early assignments of CVE IDs to enable early-stage vulnerability coordination and mitigation. The immediacy of this use case means that the requirement for traditional references and descriptions is, at times, less important than the rapid issuance of unique identifiers,” says the press release that will accompany the launch of the pilot program scheduled for Monday, March 21, 2016.

“The new format will not have any impact on either direct or downstream uses of the current-format CVEs. MITRE also recognizes that it is critical for the community and stakeholders to be able to easily differentiate between traditional CVE entries and those IDs that have been assigned for the rapid-response use case,” it is noted.

To that effect, “the federated ID syntax will be CVE-CCCIII-YYYY-NNNN…N, where ‘CCC’ encodes the issuing authority’s country and ‘III’ encodes the issuing authority.”

MITRE will initially be the only issuing authority, but they expect “to quickly add others.”

The pilot program was announced by Joe Sain, CVE Communications and Adoption Lead at MITRE, via an email to the CVE Editorial Board mailing list.

Sain explained that this decision was not an attempt to circumvent the Editorial Board but “an experimental step toward the federated vulnerability ID methodology that the community has been discussing over the past several years.” He said that the Board will be included in the evaluation of the results of the pilot program, and in the development of a a long-term solution to the problem.

CVE Editorial Board member Kurt Seifried, who officially jumpstarted the debate on the CVE assignment problem by creating (along with several collaborators) the DWF (Distributed Weakness Filing) System, expressed his scepticism regarding MITRE’s temporary solution, along with his worry that the Board wasn’t consulted regarding this project.

“So this breaks every piece of CVE tooling/software currently in existence. Before the industry collectively puts a few tens/hundreds of thousands of hours of work and quite a lot of money into supporting this is there any guarantee from Mitre that this is a long term project?” he then asked.

Kent Landfield, a fellow member of the board, agreed with Seifried, and believes this new system could make the problem worse.

“I fully understand you are under pressure but this is not the right way to do this. I really would have liked this to be one of the topics we discussed at the CVE Improvement Summit instead of having this hoisted on us this way,” he pointed out.

“It would be in the best interest to hold off in my mind since these IDs have NO usefulness in product and this will totally confuse the market, researcher and those with operational needs for a consistent CVE,” he opined.

UPDATE (20 March, 2016):

The proposed experimental system for issuing federated CVE IDs using a new format has been put on “indefinite hold.”

“A number of concerns with the proposed syntax were raised, and we heard them clearly,” Sain noted in email to the mailing list.

“The pilot described yesterday was designed to run in parallel and to be completely separate from the production CVE stream, but we certainly understand the importance of not perturbing any operating aspect of CVE. Our goal is to be responsive to the critical need for the no-description use case, but we must also ensure that we have the correct operating model.”

A new and better solution will be discussed in an Editorial Board meeting in the coming days.