Software Integrity Blog

 

For want of a CVE: MITRE’s ongoing CVE backlog

At a security conference this week, researchers complained about the CVE backlog at MITRE, related to the organization’s handling of new vulnerabilities, and the difficulties of getting a CVE assigned.

At AusCERT this week, security researcher David Jorm said it’s gotten so bad that he’s started creating workarounds to the problem, such as creating his own website to get the word out about new vulnerabilities.

The Common Vulnerabilities and Exposures (CVE) system is run by the U.S. MITRE Corporation and funded by the U.S. Department of Homeland Security (DHS). Researchers at AusCERT point to a 2015 leadership change at MITRE. That and a transition from a manual bug triage system to an email-based one have left the current system overwhelmed.

“I am going to give every vulnerability that I have found a website, name, and a logo,” Jorm told AusCERT today. “I have begun with Rocket Overloaded Flags Liability (ROFL) and PHWNED.”

Dozens of security researchers, some famous and some obscure, told The Register that they too struggle to secure CVEs from MITRE.

According to iTnews, the CVE backlog issue came to a head last March when a group of security researchers banded together to create a new ID system to catalog software flaws they say were ignored by MITRE. The Distributed Weakness Filing (DWF) system was created by Red Hat employee and MITRE board member Kurt Seifried together with researchers Larry Cashdollar, Zachary Wikholm, and Josh Bressers.

“We need a distributed, scale out method for assigning vulnerability identifiers that is as compatible with the existing CVE system as possible,” Kurt Seifried wrote. “Not just in terms of format but in terms of process and usage. My goal is to create a simple system for assigning vulnerability identifiers that relies on the community and not a single entity or organization. Additionally I want to reduce the time and effort needed to get identifiers, something best achieved by pushing assigning out to as close to the vulnerability discover/handling as possible.”

DWF is managed by numerous entities acting as numbering authorities. Anyone can be designated a naming authority by requesting the status on GitHub.

For now, the DWF is an alternative for those unable to get a CVE from MITRE.

READ NEXT: Closing the CVE gap still a work in progress

 

More by this author