Vulnerability Management

MITRE piloting improved CVE vulnerability reporting, tracking system

MITRE Corporation, the non-profit organization that manages the CVE vulnerability reporting and tracking system, has launched a new platform to fast-track the process.

The new pilot system was announced following security researchers' increasingly vocal frustrations using the previous platform, which has been called “manual and slow,” especially for smaller or mid-sized companies.

In an email to SCMagazine.com, one researcher noted a common experience; he sent an email to report a new vulnerability, only to receive no response. “I sent a second email which then resulted in me getting a CVE number assigned,” wrote SANS Technology Institute's dean of research Johannes Ullrich.

The new system, which is based on a suggestion offered by Kurt Seifried, a CVE Editorial Board member and employee on Red Hat's Security Response Team, will exist in addition to the older system, but will not replace the system.

Critics noted that MITRE may face challenges as it tries to implement the new system without disturbing the existing tracking process used in the older system.

“It is important to note that this approach was chosen to avoid any conflict with the existing CVE process as it is currently operating, and that the IDs issued under the federated scheme during the pilot will not be analyzed and incorporated into the CVE list or feeds,” wrote MITRE's CVE communications and adoption lead Joe Sain, on the CVE Editorial Board forum. “There will be no effect on external operations; all in-scope vulnerabilities will be handled as they are now.”

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.