Index ¦ Archives ¦ Atom

The need for new CVEs

LWN has an interesting article CVE woes and alternatives about how hard it is to get a CVE number for a vulnerability. The general thrust is that some researchers have found it too hard and so simply don't bother.

There were some suggestions about a new system that makes it easier to get a number and track vulnerabilities.

My first through was that something like a wiki would be a great idea, sure it would need curating and someone to clean up the spam and the trolls just like Wikipedia does but it could be managable. This would allow researchers to easily get a number and start adding information without it needing to go through a long and bureaucratic1 vetting process.

But then I though it would need something just a little more than a wiki, some level of automation to pull information from other sources, not only mitre CVEs but also things like Debian DSAs or Microsoft Security Bulletin.

Some sort of database to link between a vulnerability, it's related patches and keep all the diffrent tracking systems in sync. It would have to be largely automated but also alow the community to edit and update it like Wikipedia does, otherwise keeping it up to date would become a herculean task. I believe that mitre has a huge backlog and I think it's only going to get worse. A system that is open to the community can scale in a ways a controlled system never could.

  1. I don't want to sound too negitive here, the work that mitre does is great and ensures a high quality of information, but I've experanced it myself when I look up a CVE and just see "Reserved" because it hasn't been vetted yet. 

Creative Commons License
Content on this site is licensed under a Creative Commons Attribution 4.0 International License.
Built using Pelican. Based on a theme by Giulio Fidente on github.