A few thoughts on CVE
CVE funding is apparently not being renewed. I haven’t been operationally involved for a long time and I’m sorry for what the team is going through. I’m not alone in having strong feelings, and I want to talk about some of the original use cases that informed us as we set up the system. (You might also enjoy my thoughts on 25 Years of CVE for some context.) Those included comparing between vulnerability posts. It’s a lot of work to decide if two vulns are the same. Tagging both with a name was an important use case in 1997, and one that I got to revisit around 2010 when I was doing work to understand how malware got into PCs. Most of the attacks in exploit kits were not CVE-labeled. So deciding what they were was hours per vuln, with a high failure rate, versus minutes when they had a CVE assigned.
CVE achieved public good status exceptionally quickly, in part because of support from thoughtful leaders like Tony Sager while he was at NSA. Finding support from outside the government was, as I recall, harder because MITRE is Congressionally chartered and has difficulty taking money from anyone but the US Government.
There are other used cases, and I want to mention them because I was talking in private to friends, and they weren’t aware of these. All vendor names are used as examples.
- Did redhat fix this python bug or do we need to find a patch is way easier with cves.
- Did Apple fix this OpenSSL bug after getting version locked to OpenSSL .9.8?
- Having a name lets you discuss “did Microsoft fix this yet?” and if there’s a tool that tests it, you can cross-check the bug, the proof of concept, and the patch.
- Having an authoritative public timetable, including issuance, helped everyone understand when a vendor was slow-rolling a fix.
I’m hopeful that the CNAs will pick up the load, and that they either have reserved blocks or can coordinate among themselves to assign blocks for use in a way that helps with the core mission of vuln identifiers as this gets sorted.
Some other useful data points include:
- CVE records will continue to be available at github. Brian Krebs says the API that CNAs use to get CVEs will remain available.
- Josh Bressers has set up a discord, Extended Vulnerability Community.
- Jen Easterly has a good post on Linkedin about the problems CVE solves and what’ll happen without it.
- VulnCheck commits to providing CVEs for researchers. Anthony Bettini was there at the start, and is a stalwart.
[Critical update: fixed the Josh Bressers discord link. thanks for the flags, everyone].
[Second update: Added Vulncheck link.]