As many in the vulnerability disclosure ecosystem are now aware, the Cybersecurity & Infrastructure Security Agency (CISA), announced a new program called “Vulnrichment” on LinkedIn yesterday. News about the program spread rapidly via news sites and private companies. In this statement and elsewhere, there are definitely some general questions to be asked out loud since the program is so new. For me, there are also serious concerns when reading between the lines.
Last night, I made a fairly snide comment about the “masturbatory glee” many people seemed to have over this initiative, while knowing so very little. Many people that spend a lot of time in the vulnerability ecosystem seem to be considerable cheerleaders for this, but what bothered me was that none of them were asking the easy and obvious questions, at least, not out loud. Time for a brief rabbit hole journey.
Quoting from the CISA statement, they say “We recently enriched 1,300 CVEs and continue to diligently work to ensure all submitted CVEs are enriched.” That is good progress, maybe? How long did it take? If you enriched these, does that mean NVD would have been at ~ 11,500 backlog otherwise? Since the ‘Awaiting Analysis’ broke 10,000 yesterday, it begs the question of what these CVE represent.
“Soon, we’ll also start sharing decision points from CISA’s Stakeholder-Specific Vulnerability Categorization (SSVC).”
For those not familiar with SSVC, it is an “analysis methodology that accounts for a vulnerability’s exploitation status, impacts to safety, and prevalence of the affected product in a singular system” that even has a handy broken calculator (I cannot use this on Chrome w/ extensions or Edge w/o extensions). What CISA’s statement doesn’t qualify, apparently, is that they will use SSVC to determine which CVE IDs to enrich, meaning not all of them as the statement suggests. This comes from Art Manion who has an in-depth background in the vulnerability ecosystem. If Art is in-the-know and this is correct, then my first issue with this initiative is it gives another false sense of completeness.
This enrichment effort can be found at our Vulnrichment GitHub Repository: https://github.com/cisagov/vulnrichment. Our GitHub approach includes a readme with more info and enables stakeholders to report errors and offer suggestions directly to CISA.
Next, we find out this information is being maintained and shared on GitHub. While having an open project that can receive community help via suggestions or presumably pull requests, it also underscores that now stakeholders have to consume data from yet another place. This adds additional technical debt to any company that chooses to use it.
Reading between the lines, on the back of the serious questions about NVD’s failure to keep up with analysis, we have to ask “Why, CISA?” Do you know something we don’t? Is this purely a vote of no confidence in their ability to provide timely enrichment to difficult CVE data? Launching this big of an initiative and enriching 1,300 CVEs already strongly suggests that NVD’s problems are not going to get better soon, as Tanya Brewer told attendees at VulnCon. Is NVD officially down and out or is there time for a comeback?
Show me the money! I already have outstanding FOIA requests for the 2023 and 2024 NVD budget, CISA NCAS bulletins in 2023 costs, 2023 ICS-CERT budget, and 2023 MITRE CVE budget. Time to open a FOIA request for this new CISA initiative too, and done. If you are curious about why all this interest in those budgets, it is due to the horrible redundancy and inefficiency with two entities doing CVE/NVD, and then adding CISA to the mix for a variety of things around it. Worse, the budget enjoyed by MITRE to do CVE and NIST to do NVD is obscene in my opinion. I say that as someone that helps manage a sizable team that does everything they do, and a lot more, with a fraction of the CVE or NVD budget. A much, much smaller fraction when you combine all the money taxpayers are spending for a sub-par solution that is causing serious harm to the world’s infrastructure. That isn’t hyperbole.
Finally, we’ll speak to the Common Platform Enumeration (CPE) dilemma. This framework is owned and controlled by NIST. At present, only the NVD team can add official CPE strings to it. While Tanya Brewer said at VulnCon that they would open it up to CVE Numbering Authorities (CNA), it’s getting more difficult to trust what we’re being told around the future of NVD. Anyway, CISA is now going to face the same problem my team has had for over a decade. While you can follow the CPE specifications and often get the same string NVD will generate, that isn’t always the case. When that happens, it means we have our ‘unofficial’ string for a while until NVD sometimes, but not always, adds their own. Then we have their official and our unofficial and if they don’t match, it leads to mapping headaches. Our customers that have been using the unofficial now have to keep pulling refreshed metadata to capture when we deprecate our unofficial in favor of their official.
CISA is in a position to force NVD’s hand and allow their created CPE to become official. Did that happen? If not, why not? For every ‘Vulnrichment’ CPE they generate it may mean more technical debt and headache for stakeholders down the road.
So ultimately, my biggest concern and takeaway from this program is yet another Band-Aid to an already severely damaged vulnerability ecosystem. Will it help? I am not going to make a prediction on this one because there are just too many questions that need answering. I hope CISA will consider these points and release more information to address them and help give the community a better understanding through more transparency.