Software Integrity

 

For want of a CVE

At a security conference this week, researchers complained about MITRE’s handling of new vulnerabilities and the difficulties of getting a CVE assigned.

At AusCERT this week, security researcher David Jorm said it’s gotten so bad that he’s started creating workarounds to the problem such as creating his own website to get the word out about new vulnerabilities.

The common vulnerabilities and exposures (CVE) system is run by the US MITRE Corporation and funded by the US Department of Homeland Security (DHS). Researchers at AusCERT point to a 2015 leadership change at MITRE. That and a transition from manual to email-based bug triage system has left the current system overwhelmed.

“I am going to give every vulnerability that I have found a website, name, and a logo,” Jorm told AusCERT today. “I have begun with Rocket Overloaded Flags Liability (ROFL) and PHWNED.”

Dozens of security researchers, some famous and some obscure, told The Register that they too struggle to secure CVEs from MITRE.

According to ITNews, the CVE issue came to a head last March when a group of security researchers banded together to create a new ID system to catalogue software flaws they say were ignored by MITRE. The distributed weakness filing (DWF) system was created by Red Hat employee and MITRE board member Kurt Seifried together with researchers Larry Cashdollar, Zachary Wikholm, and Josh Bressers.

“We need a distributed, scale out method for assigning vulnerability identifiers that is as compatible with the existing CVE system as possible,” Kurt Seifried wrote. “Not just in terms of format but in terms of process and usage. My goal is to create a simple system for assigning vulnerability identifiers that relies on the community and not a single entity or organization. Additionally I want to reduce the time and effort needed to get identifiers, something best achieved by pushing assigning out to as close to the vulnerability discover/handling as possible.”

DWS is managed by numerous entities acting as numbering authorities. Anyone can be be designated a naming authority by requesting the status on GitHub.

For now, the DWS is an alternative for those unable to get a CVE from MITRE.