MITRE Puts Rapid CVE Assignment Pilot on Hold

In response to criticism from the CVE Editorial Board, the MITRE Corporation has decided to put a recently announced pilot program meant to address the need for rapid CVE assignments on hold.

After many researchers complained that they could not obtain Common Vulnerabilities and Exposures (CVE) identifiers for their flaws in a timely manner, MITRE announced that it would launch a pilot program on Monday, March 21, in an attempt to address the issue.

As part of this program, MITRE said it would start assigning federated CVE identifiers using a new format in order to clearly differentiate rapid-assignment IDs from traditional CVEs.

However, members of the CVE Editorial Board, including Red Hat’s Kurt Seifried and Intel Security’s Kent Landfield, pointed out that the new system would have a negative impact on existing CVE tools.

Earlier this month, Seifried proposed a new system, dubbed “Distributed Weakness Filing” (DWF), that would rely on the community to quickly assign CVE identifiers.

Joe Sain, CVE communications and adoption lead at MITRE, said on Friday that the pilot program has been put on “indefinite hold” as a result of the concerns raised with the proposed syntax.

“The pilot was designed to run in parallel and to be completely separate from the production CVE stream, but we certainly understand the importance of not perturbing any operating aspect of CVE,” explained Sain. “Our goal is to be responsive to the critical need for the no-description use case, but we must also ensure that we have the correct operating model.”

“We truly appreciate your feedback, and we are looking forward to developing an operating model that enables CVE to move forward and that preserves the foundational work that the community has put into the effort,” he added.

Sain said MITRE plans on holding an Editorial Board meeting this week to discuss this issue and other concerns members of the board may have.