[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
recent CVE criticism
- To: CVE Editorial Board <cve-editorial-board-list@lists.mitre.org>
- Subject: recent CVE criticism
- From: jericho <jericho@attrition.org>
- Date: Tue, 31 May 2016 23:20:10 -0500
- Authentication-results: spf=none (sender IP is 129.83.29.2) smtp.mailfrom=LISTS.MITRE.ORG; mitre.mail.onmicrosoft.com; dkim=none (message not signed) header.d=none;mitre.mail.onmicrosoft.com; dmarc=none action=none header.from=attrition.org;
- Delivery-date: Wed Jun 1 09:37:51 2016
- Importance: high
- List-help: <mailto:LISTSERV@LISTS.MITRE.ORG?body=INFO%20CVE-EDITORIAL-BOARD-LIST>
- List-owner: <mailto:CVE-EDITORIAL-BOARD-LIST-request@LISTS.MITRE.ORG>
- List-subscribe: <mailto:CVE-EDITORIAL-BOARD-LIST-subscribe-request@LISTS.MITRE.ORG>
- List-unsubscribe: <mailto:CVE-EDITORIAL-BOARD-LIST-unsubscribe-request@LISTS.MITRE.ORG>
- Sender: <owner-cve-editorial-board-list@lists.mitre.org>
- Spamdiagnosticmetadata: 43da9c421be74aed97248473db21fd15
- Spamdiagnosticoutput: 1:2
- User-agent: Alpine 2.00 (LNX 1167 2008-08-23)
FYI. Really curious what the 'Google' bit means re: secret rules. -- http://www.scmagazine.com/alt-campaign-plans-to-replace-fundamentally-broken-cve-platform/article/498880/ https://conference.auscert.org.au/david-jorm Presentation TitleCVE is logjammed, CNVD is nearly as bad, and my heart bleeds for the whole mess Abstract
In 2014-15 there were a range of high-impact vulnerabilities with catchy names: shellshock, heartbleed, logjam, etc. Debate raged around this trend, with many arguing that people took named vulnerabilities more seriously regardless of their actual impact. What people didn't really consider was whether naming vulnerabilities was necessary simply to ensure they had a useful canonical identifier associated with them.
This presentation will explore the common vulnerabilities and exposures (CVE) program, which aims to provide canonical identifiers to vulnerabilities. It will argue that CVE is fundamentally broken, and that the MITRE corporation running it is both unable to fix it, and unsuited to issuing canonical identifiers because of its conflict of interest as a government-funded program. A litany of failures of the CVE process will be detailed, along with inside information on the extent to which the process is governed by secret rules at the behest of large software companies *cough* Google *cough*.
Alternatives such as China's CNVD will also be examined, followed by discussion of a movement currently underway in the community to take over and fix the CVE process.
- Follow-Ups:
- Re: recent CVE criticism
- From: Kurt Seifried <kseifried@redhat.com>
- Re: recent CVE criticism
- Prev by Date: Re: CNA requirements
- Next by Date: Re: recent CVE criticism
- Previous by thread: DWF Mailing lists
- Next by thread: Re: recent CVE criticism
- Index(es):
