An Australian security researcher launched a light-hearted campaign to address ongoing issues affecting MITRE’s CVE vulnerability system.
“I am going to give every vulnerability that I have found a website, name, and a logo,” said David Jorm, IIX senior manager of product security and technology services, according to The Register.
The alternative grew out of his experiences requesting tracking numbers through the CVE vulnerability logging system. If the initial bug websites are any indication, the images offer much promise.
MITRE, the organization that manages the CVE system, responded to researchers’ frequent complaints in March, announcing a pilot platform to speed its ability to issue CVE numbers. Although researchers called MITRE’s prior system “manual and slow,” the pilot program was called off a day after it was announced. “As a result of your feedback, we will not move forward with a public announcement of the pilot plan, which we are putting on indefinite hold,” Joe Sain, CVE communications and adoption lead, wrote on the CVE discussion board.
Jorm’s presentation description on AusCERT website states that CVE is “fundamentally broken” and claims the organization has a “conflict of interest as a government-funded program.” The presentation summary continued: “A litany of failures of the CVE process will be detailed, along with inside information on the extent to which the process is governed by secret rules at the behest of large software companies *cough* Google *cough*.”