[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: CVE ID Syntax Vote - results and next steps
On Thu, 18 Apr 2013, Art Manion wrote: : What caused me to reconsider was the idea of more and more active CNAs. : Now, MITRE is careful to hand out modest allocations of IDs, generally : sequentially, to dozens(?) of CNAs. I don't think there's much waste. : : What I wanted to future-proof is the world with more CNAs (100s?) with : more assignment authority (like a modulo slice or big sequential block : of the year's CVE ID space). In this world, there still may still not : be more than 1M CVE IDs published per year, but there may be more than : 1M CVE IDs allocated to CNAs. Allocation != publication. This is a fair point. I do not know a lot about how CNAs run other than the overall process. I certainly hope that a CNA is not granted a big pool unless they demonstrate they need it. Such a demonstration should only be valid if they actually issue that many valid CVEs, and request more during the same year. : Another future scale issue: Automated ways to find vulnerabilities : could overwhelm the current 10K/year human-scale size of the problem. That is the primary example Carsten Eiram and I offer. A system where an automated code analysis tool can essentially auto-assign a CVE for each one found. We know the current state of this would mean an incredible number of false positives, so I can't see anyone arguing that CVE should ever move away from some level of manual review for assignment. Unless a company demonstrates a scanner that is > 90% accuracy, that absolutely should not happen. Even then, if we're seeing a CVE assigned to every valid vulnerability, no matter what the exploitation criteria are, then we're also ignoring the current policy of grouping similar vulnerabilities in similar versions. That also works against the argument we're putting forth saying "maybe 1MIL can be reached". In 14 years, we have a single example of a non-MITRE CNA issuing a significant number of identifiers, and that is Kurt Seifried of RedHat. Even with the *incredible* amount of hours he spends on it, he too has said "I can't keep up in some situations". This is no insult to him by any means, it is a basic truth. When Debian gave him a list of several hundred vulnerabilities without an ID, he said "yeah, not happening" and asked they be posted individually to oss-sec for consideration. When I gave Steve Christey / MITRE a list of ~ 260 vulnerabilities from January 2013 that had no identifier, he too said "not happening". I do not blame either one, but it illustrates the current model of CVE, and illustrates the problem with manpower and identifier assignment. 14 years and no 10k barrier breached, with CVE and CNAs saying "we can't keep up" moving forward, and the project actually moving into a position to assign about the same number as previous years, if not less. I don't see a 1MIL scenario happening unless CVE changes policy completely. If they do, then CVE also becomes entirely worthless and I don't care what barrier they hit, because most of the industry would drop them quick.