Almost every time Bob Lord blogs, I feel the need to write a rebuttal to what is arguably abject stupidity and shortsightedness. One he published a couple days ago, titled “CVE Quality-by-Design Manifesto“, is missing several core concepts in the realm of vulnerability intelligence. While his overall point is certainly valid, the order in which he declares our needs is wrong, on top of missing some not-so-subtle points about the CVE ecosystem to which he speaks. Let’s break it down…
For nearly a decade, the CVE Program has been in an expansion phase. Almost 500 CNAs (CVE Numbering Authorities) are now authorized to issue records. That growth was essential. It built the foundation for what comes next.
First, let’s address this “almost 500 CNAs” bit as I have already pointed out how CNA numbers are not what they seem. As we move from 400 to 500, the pattern hasn’t changed. MITRE continues to mint new CNAs that have no published advisories or ones that have published advisories still missing CVE IDs. Meanwhile, they are either not reaching out to more predominant vendors that are desperately needed as a CNA, or they are, and the vendors are rejecting the offer. If the latter, that is quite telling about the state of the CVE program.
Now, we enter the quality phase.
This single line is what really prompted my rebuttal. The CVE program is in shambles and it has been going downhill since Steve Christey-Coley left the program, or got pushed out, depending on who you talk to. Since his departure, MITRE has spent quite literally zero effort to maintain any form of quality assurance on CVE records. It has led to CVE IDs being assigned to issues with a description that doesn’t even include the vendor, product, or version of the affected software. Some descriptions are barely more than CWE IDs. Others are long convoluted technical jargon that does not identify the impact of the issue and arguably aren’t vulnerabilities at all. At some point I will publish a long blog that cites specific examples of all of these, and a lot more, that several of us on the VulnDB team have been cataloging for a decade.
The issue Bob misses is that MITRE has set the tone by allowing CNAs and researchers both, to provide junk descriptions, broken references, advisories behind paywalls, and more. To this day, MITRE still rarely enforces the CNA rules including the one that requires CNAs to follow CNA rules set forth by MITRE that they must update within 24 hours of disclosure (Section 2.2.3). This leads to vulnerabilities that have been publicly disclosed, sometimes critical with exploit code available, and a RESERVED CVE ID. Some people call these ‘Shadow’ or ‘Ghost’ vulnerabilities, but you can read the nuance missing there.
Worse, by not mandating quality from the start, and by MITRE not applying standards to anything they publish as a CNA themselves, we now have a backlog of well over 100,000 vulnerabilities that do not have adequate descriptions and missing essential metadata. Many of these vulnerabilities are still actively exploited to this day. This problem haunts me every day working on VulnDB as we do not have some dedicated fields to track metadata. When we add a new one years later, it means we can’t really ‘backfill’ for prior entries due to the work involved and resources available.
High-quality CVE records are no longer optional; they are the backbone of vulnerability management, threat intelligence, and automated defense.
Bravo Bob! You said the quiet part out loud without realizing it I think! You say that quality records are “the backbone of vulnerability management“. Good, now run with this and point your finger toward MITRE. Be bold, be honest… and outright blame MITRE who is entirely at fault here. If that is true, then why didn’t MITRE embrace that over one decade ago? You are very accurately pointing out that MITRE does not have the expertise needed to run the CVE program.
It’s time to change that.
No Bob, it was time to change that ages ago, and we’re suffering under a vulnerability aggregation program that doesn’t earn the name “intelligence”.
If we succeed, CVE will no longer be a registry of defects. It will be a living infrastructure for global software safety — built not by repair, but secure by design.
No Bob, it will still be sufficiently incomplete and missing hundreds of thousands of vulnerabilities. Due to the incorrect methodology used by the CNA program, it is too late to truly correct this, and it will continue to get worse. MITRE’s “come to us” approach is a fundamental flaw that hamstrings the program and has since the mid to late 2000s. But, let’s get back to where Bob is absolutely right!
Missed vulnerabilities lead to breaches.
Low-quality data wastes precious time.
Confusion spreads through the supply chain.
Yes, yes, and yes! But again… why is it everyone seems to know this except MITRE? Per FFDRC regulations, for MITRE to be awarded the contract and more importantly, continue to be funded to run it, they must have expertise. From the Code of Federal Regulations Title 48 section 35.017-4, “Reviewing FFRDC’s”, it explicitly says that an “an assessment of the efficiency and effectiveness of the FFRDC in meeting the sponsor’s needs, including … currency in its field(s) of expertise”. Once again, Bob clearly points out that MITRE does not have this expertise. It’s time to find a new steward for the CVE program, or organizations should start looking at GCVE instead perhaps. Or bite the bullet and find a commercial vulnerability intelligence provider that fills in those huge gaps that MITRE insists on creating due to their perceived negligence.
- CNA accountability: CNAs should be responsible and accountable for the quality of their records.
- Software companies should be CNAs. A part of taking ownership for customer security outcomes is providing authoritative information about defects in their products.
- Opinionated system design: The CVE system should clearly define what “good” looks like and prevent the creation of low-quality records.
- Automation-first approach: Schema design and field requirements should prioritize automation, consistency, and machine readability.
Bob is on a roll! Yes, debatable, yes, and yes! I will nitpick on number two because yes, in theory they should be. But MITRE has consistently poisoned the well here, so to speak. Many vendors have outright rejected MITRE and the CNA program due to the way it is designed, and the incredible burden it has created on some software vendors. In some cases, that poor design has essentially unintentionally strong-armed some vendors to become CNAs, just to help lower that burden. That is not how you gain more adoption; instead it just creates participatory resistance as they will be less likely to assign a CVE than before, while following the CNA rules. This can create blind spots as an issue may not be a vulnerability to the Curl team, but it could be an issue or concern for an organization.
Defenders need vulnerability information quickly. … Given how fast attackers exploit new flaws, delays carry real consequences.
Today, many CNAs issue incomplete records. Rather than holding CNAs to higher standards, the U.S. government funds staff and contractors to repair CVE records after publication.
Bob goes on after that to justify the severity of the issue citing the “process is error-prone” while not calling out the clear and underlying issue; why is the U.S. Government paying multiple entities to fix something created by a program they are also funding. This is serious mismanagement and waste. A single agency or entity should be doing this and we have plenty of historical evidence to guarantee it should not be MITRE, nor NIST’s NVD with a backlog of over 28,000 as of this morning. Higher than a couple years ago when Tanya Brewer assured us it would be fixed. When she spoke the backlog was a measly 4,581. One of many reasons I gave the CVE Program a vote of ‘no confidence’.
You have to read a significant way down to find Bob’s “Call to Action” where he says, in order, that CNAs, software manufacturers, the CVE Program, tool vendors / data consumers, and defenders / researchers have their parts to play. I bolded the oddity to me. Why is the CVE program third in this list? It should be the first as they carry the most responsibility as the stewards of this program. Quit giving them a complete pass, or in this case a soft pass. Hold their feet to the fire and make them talk, make them be transparent.
How? Use EUVD or GCVE instead! Sure, both are basically clones of CVE at this point but they should grow. And while they are getting information from CVE, and other sources, they become the more complete source. Even though MITRE / NVD is doing the work, they aren’t getting the recognition for the primary database of vulnerabilities in the world. Once the U.S. Government catches on and updates their regulations to require inclusion of those sources, it will send a clear message about the value of that program. Maybe then, hopefully, someone at an OIG office will get involved and set them straight. Congress certainly didn’t do that.
Intrigued about just how bad MITRE is not following FFDRC rules set forth by our government? Conveniently, Dark Reading has just published an opinion column I wrote today that goes deep on the topic citing all types of exciting regulations. If you want to help hold MITRE accountable to improve the CVE program, this is your cliff notes on how to better hold them accountable.
Leave a Reply