Virtual Event: Threat Detection and Incident Response Summit - Watch Sessions
Connect with us

Hi, what are you looking for?



MITRE Puts Rapid CVE Assignment Pilot on Hold

In response to criticism from the CVE Editorial Board, the MITRE Corporation has decided to put a recently announced pilot program meant to address the need for rapid CVE assignments on hold.

In response to criticism from the CVE Editorial Board, the MITRE Corporation has decided to put a recently announced pilot program meant to address the need for rapid CVE assignments on hold.

After many researchers complained that they could not obtain Common Vulnerabilities and Exposures (CVE) identifiers for their flaws in a timely manner, MITRE announced that it would launch a pilot program on Monday, March 21, in an attempt to address the issue.

As part of this program, MITRE said it would start assigning federated CVE identifiers using a new format in order to clearly differentiate rapid-assignment IDs from traditional CVEs.

However, members of the CVE Editorial Board, including Red Hat’s Kurt Seifried and Intel Security’s Kent Landfield, pointed out that the new system would have a negative impact on existing CVE tools.

Earlier this month, Seifried proposed a new system, dubbed “Distributed Weakness Filing” (DWF), that would rely on the community to quickly assign CVE identifiers.

Joe Sain, CVE communications and adoption lead at MITRE, said on Friday that the pilot program has been put on “indefinite hold” as a result of the concerns raised with the proposed syntax.

“The pilot was designed to run in parallel and to be completely separate from the production CVE stream, but we certainly understand the importance of not perturbing any operating aspect of CVE,” explained Sain. “Our goal is to be responsive to the critical need for the no-description use case, but we must also ensure that we have the correct operating model.”

Advertisement. Scroll to continue reading.

“We truly appreciate your feedback, and we are looking forward to developing an operating model that enables CVE to move forward and that preserves the foundational work that the community has put into the effort,” he added.

Sain said MITRE plans on holding an Editorial Board meeting this week to discuss this issue and other concerns members of the board may have.

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.