[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: CVE program priorities

Simply an observation on this statement:

The simple fact is that the number of CVEs published every year has not kept pace with the rate or number of vulnerabilities disclosed. 

This is an indirect measure — and a depressing one — of the state of software quality, vendor commitment, and consumer pressure.

Every year that I have worked in the field (about 31 now) I have been heartened by the wonderful people who are concerned with the problems, yet on balance, more depressed about the future.   This year is no different.

In 1985 there were 2 PC viruses “in the wild.”  In 1986, there were 7 (2+5).  In 1987, 12.  In 1988, 24.  Now, there are millions of families of malware and no one is able to keep an accurate count.  The rate of increase is still exponential.  

The “cyber” world largely continues to operate on a “ship crap, fix it later” model.  Whatever we do with the CVE infrastructure is not going to change the causality, and eventually any response will break under the load, the same as the malware repository/naming model has.

I won’t close with “Bah, humbug” because someone would feel compelled to generate a CVE for that bug, too.

My best (but someone curmudgeonly) wishes to you all for happy, safe holidays, and a wonderful new year.
—spaf

smime.p7s

Page Last Updated or Reviewed: December 29, 2015