Re: Concerns about CVE coverage shrinking - direct impact to researchers/companies

[Kurt Seifried <kseifried () redhat com>]

On Wed, Mar 9, 2016 at 1:34 PM, Timothy D. Morgan <
tim-security () sentinelchicken org> wrote:

> > All - I've chatted with some of the people who fund the CVE work at
> MITRE.
> > I've learned that CVEs *are* being issued, but obviously that is
> happening too slowly.
> > They're having a meeting tomorrow (March 10) to try to figure out what
> > the problems are and how to fix it.  I don't know what they'll do.
> > However, I'm hopeful that  this will mean that the CVE work will get
> > back on track soon.
>
>
> Thanks David for finding the right people and raising the issue with
> them.  I'm sure media coverage is probably helping as well:
>
> http://www.theregister.co.uk/2016/03/09/hackers_spin_up_alternative_cve_system_as_bugs_go_unchecked/
>
> Suppose MITRE fixes their issues tomorrow and the CVE goes back to the
> way it was.  Is that really want we need going forward?  A system
> that's based on sending emails between humans and posting only
> one-line descriptions with a series of links (half of which are broken
> after a short time)?  A system which tries to distribute the load by
> using "big" software vendors, many of whom have a vested interest in
> limiting what vulnerabilities get published in their software?
>
> It seems like we can do better than this.  Infosec hasn't been
> "working" for some time.  Perhaps we need better tools to help us get
> ahead of the game.

Even if Mitre had unlimited funding there will be a need for the community
to be involved, especially if we're going to make sure that CVE/DWF cover
important flaws (of which there are thousands right now, and we haven't
even dealt with the IoT or non english software markets like China....).

Putting on my info security economics hat:

And I suspect the solution to this is the same as Open Source, we scale
out, build a community and process that works and change as needed. DWF is
one such effort. We aim to reduce the cost of vulnerability identification,
and vulnerability coordination so that there's more less negative incentive
(cost in time and effort) to do this right.

As I've repeatedly stated the DWF wants to work with CVE/Mitre if possible,
forking vulnerability identification will create additional costs
(retooling all the systems and process that rely on CVE) so I want to
minimize that as much as possible, the goal is to make things better and
easier, not to add another standard for the sake of itself.


> --
> tim
> @ecbftw



-- 

--
Kurt Seifried -- Red Hat -- Product Security -- Cloud
PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
Red Hat Product Security contact: secalert () redhat com