CVE System Sees Huge Backlog, Researchers Propose Alternative

 By Catalin Cimpanu

The CVE system is the central point around which most of the information security community is revolving around. Whenever a security researcher finds a security vulnerability, he sends MITRE a request for a CVE identifier.

This CVE ID is more than just a number added to a database. In the infosec world, it's also a sign that the researcher did a good job, and that he discovered, and sometimes helped patch, a dangerous software flaw.

It wouldn't be far-fetched to consider CVE numbers as "brag tags," with many security researchers keeping score and comparing themselves to other researchers.

MITRE's CVE backlog is annoying the infosec community

In recent months, there have been more and more security researchers that have started complaining about MITRE, and more precisely about its huge delay in handing out CVE numbers.

The issue was raised several times on the Full Disclosure security-themed newsletter, and many experts weighed in with their own not-so-happy experiences.

Some researchers said that they are still waiting, several months after discovering security flaws, while some said that they've just given up, and eventually published their findings without a CVE number.

There is also the issue that government agencies and multinational corporations don't address security issues in their software unless the bugs have a CVE identifier.

More paranoid users have already started to propose conspiracy theories about how MITRE is working with the government to get companies and agencies off the hook for not updating systems when they have to. No CVE ID means no legal obligation to patch, which means customers can't sue in the case of a data breach. These theories are just that, theories and nothing more. Things are never that simple in lawsuits and this actually looks like an organization that's struggling to keep up with the market demand.

Is IoT's sorry-state causing this backlog?

The most obvious explanation would be that in the recent year, there has been a boom of Internet-connected (IoT) devices, most of which have execrable security features, generating a large number of bugs, with which the MITRE crew cannot keep up.

MITRE staff don't only have to just assign a number to a security report and then record it in a database, but they also have to contact the vendor, and then evaluate the vulnerability to calculate its severity score.

With more and more bug reports coming in, it was expected that things would have eventually got clogged up. Even MITRE's own have noticed this issue, and Kurt Seifried, a MITRE board member and security expert at Red Hat, has started an alternative CVE-like system which is called Distributed Weakness Filing (DWF).

With most of the necessary DWF code already uploaded on GitHub, and most of the community mad at MITRE, Seifried seems to be waiting for the organisation's next move before going forward with its DWF initiative.

MITRE has finally acknowledged the problem

According to a post on its website, things have started to move in the right direction on MITRE's end. The following message was posted on CVE's website during the past week.

"CVE has been experiencing an unprecedented demand for vulnerability IDs. We look forward to working with the CVE Editorial Board and the broader vulnerability management community to significantly improve stakeholder communication, and improve and scale CVE operations to reduce ID assignment response times and increase product coverage. Details as they become available will be posted to http://cve.mitre.org/."

As it looks right now, MITRE seems to have understood the dangerous situation it is in. This looks a lot like the standoff between the Joyent, the company that was managing Node.js, and the Node.js community.

The community wanted Joyent to move the Node.js code forward and add new features, and after months waiting for Joyent to comply with their requests, they forked Node.js into io.js and followed its own plan. The two projects eventually merged back together, but the io.js people were considers the winners of this standoff after making Joyent heed its requests.

It's usually not a good idea to stand in the way of the wishes of a large community. Judging that all that security researchers are requesting is for a quicker review process and nothing else, MITRE should have a simple way of fixing the situation. Otherwise, if CVE fails and is replaced by DWF, it will be entirely MITRE's fault.