[These were notes I took in 2017 and never got around to finishing. I have done some general formatting / cleanup to round out the sentences and such, but not much else. Given I made a prediction at the time, I am opting to publish this but backdate is accordingly. The general issue of CVE not being consistent in abstraction has meant it cannot be used to count vulnerabilities going back to 2005 or before. I have said that for a while so my prediction was based on the past, and of course kept true in the future. =)]
Date: Wed, 15 Mar 2017 11:21:25 -0500 (CDT)
Subject: [CVENEW] New CVE CANs: 2017/03/15 12:00 ; count=8 (fwd)
MITRE is now abstracting by script for CSRF (for years, they were merged into a single ID), and they are abstracting by tree effected. e.g. CVE-2017-6916 for BigTree CMS 4.1.18 and CVE-2017-6918 for BigTree CMS 4.2.16, yet the exact same vuln. This will radically raise the # of CVE IDs published each year, while making it considerably more confusing and difficult for the average organization to easily track vulns. Further, there can be no meaningful stats based on CVE data in 2017 without some serious scrubbing and analysis. If they continue along these lines, any company that blindly uses CVE data for year-end stats like so many do, will come to all kinds of wrong conclusions. Stuff like “$product has two times more
vulns than last year” or “there was a %50 increase in vulns“.
I brought some of this up while and was dismissed on the CVE Editorial Board list saying that the recent CNA guidelines changed this. The first copy I reviewed, I don’t recall those changes but I am sure they are in there. That said, the fact that the board didn’t raise questions or complain about the consequences of this is telling. I pursued it off list a bit more but ultimately got nowhere except on one other issue (MITRE is letting the ID-requesting party write the description, and they will publish if good); in which they asked how we could address it better. Ultimately, I doubt my mails will effect any real change.
[Narrator: They did not effect any real change.]
Leave a Reply