Software Integrity Blog

 

How Distributed Weakness Filing might help MITRE’s CVE

Complaints about the current Common Vulnerabilities and Exposures (CVE) system from the MITRE organization have advanced a new community-powered Distributed Weakness Filing (DWF) system. DWF is available on GitHub.

The MITRE-controlled CVE, used to assign specific numbers to newly disclosed vulnerabilities, has been used in the InfoSec community for the last few years. But concerns around backlogs spilled over at last week’s AusCERT conference, with at least one presenter mocking the current practice. At issue is the fact that MITRE has fallen behind in issuing CVEs. Also, even when it has assigned a CVE, it’s often slow to release details.

Kurt Seifried, security researcher at Red Hat, thinks he has the answer in DWF. For one thing, DWF adds a more global perspective to CVE, which currently covers mostly English, North American software. It doesn’t, for example, have good coverage of software originating in Japan, India, China, Russia and other countries. Also, the current CVE system doesn’t cover the medical industry, aerospace, cars, or even the Internet of Things well.

RELATED: Why there are at least 6,000 vulnerabilities without CVE-IDs

“The DWF is also about experimenting with CVE; an example is that we have specified a data format for information related to the CVEs, such as severity information, workarounds and so on, that does not currently exist in the MITRE CVE database,” Seifried told eWeek. “Part of the DWF plan is to make the data not only available to read, but also to write, assuming the data coming back is of sufficient quality, for anyone.”

Part of the problem with CVEs is that MITRE has changed how it runs the organization. This has resulted a severe backlog. MITRE has proposed a new plan to deal with the scale issues the system is currently experiencing.

“The long-term plan for CVE [and DWF] as it stands now is to move to a ‘federation’ model, with MITRE remaining as the master of CVE and then a number of entities covering various spaces,” Seifried explained to eWeek. “DWF, for example, would focus on open source and, potentially, we could end up with country-/language-specific CVE entities, or industry verticals to cover specific technology use cases, like the software that governs self-driving cars.”

Seifried said in the interview that MITRE is currently in Stage 1, where they are not consuming DWF data; they are just marking CVEs as “RESERVED” once DWF has assigned them. “During Stage 2, MITRE will actually consume the DWF data [descriptions, etc.]; however, prior to Stage 2, MITRE wants to get the licensing and some other legalities all squared away, something that is being worked on with their lawyers and Red Hat’s legal team,” Seifried said.

READ NEXT: Closing the CVE gap still a work in progress

 

More by this author