The National Cyber Security Center of the Netherlands (NCSC.nl) has a curious take on sharing security information. On October 25, 2021 I contacted them to inform them of a simple typo in one of their advisories. I send mails or Tweets like this several times a week to researchers, vendors, and news outlets as CVE typos are prevalent. The issue is that a mistyped CVE ID can cause a lot of headache for organizations that take vulnerability intelligence seriously. Imagine an alert about a new CVE affecting enterprise software running your most critical assets and you can only find a news article on it saying the issue is critical. The vendor advisory doesn’t reference it and almost nothing to be found on Google or social media. What do you do? Before you spin up the entire team and tell them to stay late planning for emergency remediation, you need to know what you are dealing with.
Most of the time, the Tweets and emails get a quick reply acknowledging it was a typo and they fix it when possible. Every so often I get no reply and the typo stays there, likely forever. That typically happens on sites that appear to be automated aggregation of content for the sole purpose of getting clicks to generate ad revenue. They have no contact information, no social media, and no author bylines. Otherwise, generally such notifications are well received.
In the case of NCSC.nl I figured I would get a prompt reply and a quick fix. I got the prompt reply, but not the fix. First, note that they provide limited advisory services notifying their stakeholders of vulnerabilities and a page describing what the advisories are. They also have a PDF with a bigger explanation of what a security advisory is. Per Google translate, the advisories “… aim is to describe what the vulnerability is and what could possibly happen if it is exploited.” Simple and straight-forward. As most security professionals know, accuracy in an advisory is important. A typo in a CVE could point to the wrong vulnerability which might be the wrong software completely, or the right software and the wrong vulnerability. I contacted their info@ to let them know about the typo:
https://advisories.ncsc.nl/advisory?id=NCSC-2021-0840
[..] CVE-2021-3715 , CVE-2021-38160 , CVE-2021-4049 [Link]
That should be CVE-2021-40490 at the end.
Brian
The prompt reply I received the next morning was rather baffling. They ‘investigated’ the issue, confirmed I was correct, and wrote a 62 word reply over six lines instead of just fixing the single character that was missing.
Thank you for your e-mail. Hereby we confirm that we have received your
email and investigated the issue. We would like to thank you for your
friendly remark. However, we have decided not to update the
advisory as the CVE number is written correctly in other places in the
advisory.
Feel free to contact us again if there are any questions left.
I naturally questioned them on this odd reply and refusal to fix an inaccurate CVE identifier:
Yes, I have questions.
Why wouldn’t you correct a simple typo? More specifically, for a CVE ID that can cause confusion for security practitioners trying to ensure they have accurate vulnerability intelligence. Anyone reading your advisory may go down a proverbial rabbit hole trying to figure out what CVE-2021-4049 represents and waste considerable time.
Consider that that typo caused our team to respond trying to figure out what that ID represents. Fortunately, we have amazing vulnerability intelligence and it was fairly easy to deduce what happened.
Your apathy in this matter is staggering.
I hoped that an explanation, with a bit of shaming, might prompt them to just fix the single missing character. Nope…
Thank you for your e-mail. We appreciate your concerns. When the advisory
needs to be updated the typo will be corrected.
OK, but the advisory literally needs to be updated to fix the typo. This recursive excuse is just absurd. 21 word reply this time instead of a one character fix. They appreciate my concerns, but not enough to fix ONE CHARACTER.
It’s hard to have faith in Information Security when a national security center doesn’t understand the importance of accuracy and integrity. I hope organizations in the Netherlands are not relying on the NCSC.
One response to “An 83 Word Excuse Instead of a 1 Character Fix (NCSC.nl)”
Updates to NCSC-NL security advisories are (automatically) sent to all constituents involved. Fixing a typo would cause many human processing hours to be wasted by the recipients to reprocess the update. I totally understand the response you received. While not ideal, the advisory with the typo fix will only be updated when there is actually something new to report about the vulnerability.