With an increasing number of researchers displeased with the fact that it takes a lot of time to assign Common Vulnerabilities and Exposures (CVE) identifiers to their flaws, the MITRE Corporation has decided to launch a pilot program whose goal is to address the need for rapid CVE assignments.
Many researchers have recently complained that they could not obtain CVE identifiers for their vulnerabilities in a timely manner. In an effort to address current issues, an alternative system, dubbed the “Distributed Weakness Filing” (DWF) system, was proposed earlier this month by Kurt Seifried, an employee of Red Hat and a member of the CVE Editorial Board.
The goal of DWF is to reduce the time and effort needed to obtain CVE identifiers through a simple system that relies on the community and not a single entity.
MITRE has its own plans for improving the process and on Thursday announced that it will launch a new pilot program on March 21 to accelerate the assignment of CVEs.
The non-profit organization will start assigning federated CVE identifiers using a new format that will use the syntax “CVE-CCCIII-YYYY-NNNN…N,” where “CCC” is a code for the issuing authority’s country and “III” is the issuing authority. By using this format, MITRE wants to clearly differentiate rapid-assignment IDs from traditional CVEs.
“At its launch, MITRE will be the only issuing authority, but we expect to quickly add others to address the needs of the research and discloser communities, as well as the cybersecurity community as a whole. This new federated ID system will significantly enhance the early stage vulnerability mitigation coordination, and reduce the time lapse between request and issuance,” MITRE said in a press release announcing the pilot program.
“Federated CVE Identifiers will allow for rapid experimentation with new types of assignments and use cases so that CVE, the CVE Editorial Board, and the community can work together to determine what best serves the needs of the community,” MITRE said.
Seifried and others are not happy with MITRE’s proposition, especially since the organization has failed to clarify important aspects of the program, such as who else can issue federated IDs, and the lack of consultation with members of the CVE board. Experts are also concerned that the new system will break existing CVE tools.
“I fully understand you are under pressure but this is not the right way to do this. I really would have liked this to be one of the topics we discussed at the CVE Improvement Summit instead of having this hoisted on us this way. It would be in the best interest to hold off in my mind since these IDs have NO usefulness in product and this will totally confuse the market, researchers and those with operational needs for a consistent CVE,” said Intel Security’s Kent Landfield, who is also a member of the CVE Editorial Board.
Starting in January 2014, MITRE changed the CVE ID syntax to allow more than 9,999 CVEs to be assigned each year, but the use of IDs with 5 digits has so far not been needed. Only 6,419 identifiers were assigned in 2015 and nearly 8,000 in the previous year.