[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

recent CVE criticism

FYI. Really curious what the 'Google' bit means re: secret rules.




Presentation Title

CVE is logjammed, CNVD is nearly as bad, and my heart bleeds for the whole mess Abstract

In 2014-15 there were a range of high-impact vulnerabilities with catchy names: shellshock, heartbleed, logjam, etc. Debate raged around this trend, with many arguing that people took named vulnerabilities more seriously regardless of their actual impact. What people didn't really consider was whether naming vulnerabilities was necessary simply to ensure they had a useful canonical identifier associated with them.

This presentation will explore the common vulnerabilities and exposures (CVE) program, which aims to provide canonical identifiers to vulnerabilities. It will argue that CVE is fundamentally broken, and that the MITRE corporation running it is both unable to fix it, and unsuited to issuing canonical identifiers because of its conflict of interest as a government-funded program. A litany of failures of the CVE process will be detailed, along with inside information on the extent to which the process is governed by secret rules at the behest of large software companies *cough* Google *cough*.

Alternatives such as China's CNVD will also be examined, followed by discussion of a movement currently underway in the community to take over and fix the CVE process.

Page Last Updated or Reviewed: June 01, 2016