Catch up on stories from the past week (and beyond) at the Slashdot story archive


Forgot your password?
Check out the new SourceForge HTML5 internet speed test! No Flash necessary and runs on all devices. ×
Security Bug Open Source Red Hat Software IT

One Solution to MITRE's Overworked CVE System: Build a New One ( 47

An anonymous reader writes: For the last 17 years, the American not-for-profit MITRE Corporation has been editing and maintaining the list of Common Vulnerabilities and Exposures (CVEs). According to a number of researchers, MITRE has lately been doing a lousy job when it comes to assigning these numbers, forcing researchers to do without them or to delay public disclosure of vulnerabilities indefinitely. The problem is getting worse by the day, and the situation has spurred Kurt Seifried, a "Red Hat Product Security Cloud guy" and a CVE Editorial Board member, to create a complementary system for numbering vulnerabilities.
This discussion has been archived. No new comments can be posted.

One Solution to MITRE's Overworked CVE System: Build a New One

Comments Filter:
  • by Anonymous Coward
    no offense, but this article has been copied from the register: []
  • Yes, because another service is always the solution ... instead of fixing the existing one and improving it.

    This is typical red hat (and a common Linux issue in general) ... we don't like it so we're going to reinvent the wheel ... poorly and refuse to acknowledge any problems or defects in the new version.

    Sometimes you just need to put a little effort into actually working together instead of being a douchebag loan wolf who takes his toys and goes to live in the woods.

    • by arth1 ( 260657 )

      a douchebag loan wolf

      Is that better or worse than a loan shark?

    • Yes, because another service is always the solution ... instead of fixing the existing one and improving it.

      So, how do you do that exactly? Someone asks MITRE for a CVS number for a vulnerability they've found and MITRE replies:

      Thank you for your request.

      Your request is outside the scope of CVE's published priorities. As such, it will not be assigned a CVE-ID by MITRE or another CVE CNA at this time.

      What next?

      • by mysidia ( 191772 )

        What next?

        Why don't we just have the vendor self-generate a GUID to use to refer to the security vulnerability?

        Whoever notes the vulnerability first generates a GUID, and MITRE's only Job becomes to provide a database of the GUIDs.

        • MITRE refused to allocate a CVE. It's not the number that's the problem, it's that they are refusing to do their job.

  • by Dr. Evil ( 3501 ) on Friday March 11, 2016 @11:29AM (#51677613)

    1 is a number. There are lots of numbers.

    If there's a problem at all, I would wager it's all the crappy "security researchers" trying to make a name for themselves by claiming the sky is falling and getting a CVE on their blog to make themselves look important.

    • by generic ( 14144 )

      What makes for a crappy security researcher? because the software they've found a bug in isn't on mitre's short little list of CVE approved vendors?

      • by Dr. Evil ( 3501 )

        If I have a Radware product in my organization, I would subscribe to their security and support mailing lists, which is where this seems to be posted. There are thousands or more of different products from different vendors, probably tens or hundreds of thousands if you include the crazy knockoffs, FOSS assemblages, and fly-by-night companies.

        There are far fewer genuinely unique bits of software which most of these products are made from. E.g., only so many IP stacks are out there, only so many web se

        • by generic ( 14144 )

          I see your point, I only care to assign CVE IDs to my discoveries because folks ask me for them. It gets annoying when I've found a vulnerability and someone is hounding me about the CVE ID so they can track it and mitre doesn't respond to my emails.

  • by OffTheLip ( 636691 ) on Friday March 11, 2016 @11:54AM (#51677815)
    The US Dept of Defense (DoD) is a Red Hat customer and required to react to IAVA's/CVE's. MITRE provides system engineering support for the USAF among other branches so it seems like a good working relationship to me. Red Hat has been supportive of the IAVA/CVE patch process and working to better the system is a win-win in my opinion.
  • Maybe we find a way to not have so many vulnerabilities. Just a thought.
    • >> Just a thought.

      When did this place become Facebook? What's next, "just sayin'"? "JK"? Perhaps your high ID explains it, but on SlashDot there's no reason to snark off and then hide behind your mom's skirt - we LIKE bold discussions.
      • The fact that vulnerabilities are happening so fast that we can't even catalog them speaks pretty poorly for our industry. There is new code being written today that will have exploitable buffer overflows. Even though this problem has been well documented since probably the seventies. We have things like ASLR that put a band aid on it, but the reality is that the systems we develop are a few more orders of magnitude more complicated that what was built back then. But our tools and techniques haven't adv
  • by feenberg ( 201582 ) on Friday March 11, 2016 @12:47PM (#51678365)

    Is the problem that MITRE has an inventory of unprocessed requests, or that MITRE is rejecting requests as duplicative or incorrect? That does make a difference in how one thinks about the problem. If the latter, perhaps those in favor of bypassing MITRE could provide convincing examples of incorrect rejections.

  • "Non-profit" is a pretty loaded term here. It implies charities or colleges or arts organizations. That's not really what's going on. It just means that they're not turning their profits over to any shareholders. There are tax consequences, but it's actually not all that big a deal, since even ordinary corporations are only supposed to be paying taxes on profits anyway, not revenues. Which theoretically lets them raise wages and lower prices, though they're not actually all that good at either. Mostly, they

  • Problem: there are N relevant places to look for CVEs []

    Solution: let's make a better one!

    Problem: there are N+1 relevant places to look for CVEs.

If A = B and B = C, then A = C, except where void or prohibited by law. -- Roy Santoro