close search bar

Sorry, not available in this language yet

close language selection

For want of a CVE: MITRE’s ongoing CVE backlog

Synopsys Editorial Team

May 24, 2016 / 1 min read

At a security conference this week, researchers complained about the CVE backlog at MITRE, related to the organization’s handling of new vulnerabilities, and the difficulties of getting a CVE assigned.

At AusCERT this week, security researcher David Jorm said it’s gotten so bad that he’s started creating workarounds to the problem, such as creating his own website to get the word out about new vulnerabilities.

The Common Vulnerabilities and Exposures (CVE) system is run by the U.S. MITRE Corporation and funded by the U.S. Department of Homeland Security (DHS). Researchers at AusCERT point to a 2015 leadership change at MITRE. That and a transition from a manual bug triage system to an email-based one have left the current system overwhelmed.

“I am going to give every vulnerability that I have found a website, name, and a logo,” Jorm told AusCERT today. “I have begun with Rocket Overloaded Flags Liability (ROFL) and PHWNED.”

Dozens of security researchers, some famous and some obscure, told The Register that they too struggle to secure CVEs from MITRE.

According to iTnews, the CVE backlog issue came to a head last March when a group of security researchers banded together to create a new ID system to catalog software flaws they say were ignored by MITRE. The Distributed Weakness Filing (DWF) system was created by Red Hat employee and MITRE board member Kurt Seifried together with researchers Larry Cashdollar, Zachary Wikholm, and Josh Bressers.

“We need a distributed, scale out method for assigning vulnerability identifiers that is as compatible with the existing CVE system as possible,” Kurt Seifried wrote. “Not just in terms of format but in terms of process and usage. My goal is to create a simple system for assigning vulnerability identifiers that relies on the community and not a single entity or organization. Additionally I want to reduce the time and effort needed to get identifiers, something best achieved by pushing assigning out to as close to the vulnerability discover/handling as possible.”

DWF is managed by numerous entities acting as numbering authorities. Anyone can be designated a naming authority by requesting the status on GitHub.

For now, the DWF is an alternative for those unable to get a CVE from MITRE.

READ NEXTClosing the CVE gap still a work in progress

Continue Reading

Top 10 free pen tester tools

Top 10 free pen tester tools

Natalie Lightner
By Natalie Lightner

Apr 11, 2024 / 5 min read

Tags: Software Integrity, Security News & Trends, Pen Testing, Web AppSec, Manage Security Risks
Introducing fAST Dynamic: Streamlining dynamic application security testing

Introducing fAST Dynamic: Streamlining dynamic application security testing

Vishrut Iyengar
By Vishrut Iyengar

Mar 19, 2024 / 3 min read

Tags: DAST, Software Integrity, Security News & Trends, Build Security into DevOps
CVE-2017-5638: The Apache Struts vulnerability explained

CVE-2017-5638: The Apache Struts vulnerability explained

Fred Bals
By Fred Bals

Mar 16, 2024 / 3 min read

Tags: Software Integrity, Security News & Trends, Secure the Software Supply Chain

Explore Topics

Agile, CI/CD
AppSec Best Practices
Artificial Intelligence
Automotive
Build Security into DevOps
Cloud Security
Compliance
Container Security
CyRC
DevSecOps
DAST
Financial Services
Fuzzing
Healthcare
IAST
Internet of Things
M&A
Manage Security Risks
Medical Devices
Mobile
Orchestration & Correlation
OSS License Compliance
Pen Testing
Program Strategy & Planning
Public Sector
SAST
SCA
Secure the Software Supply Chain
Security News & Trends
Threat Modeling
Threat & Risk Assessment
Training
Web Application Security