MITRE rolls out new CVE system after Reg reveal
Critics slammed old system, slam new one too for format that will break tooling
Vulnerability clearing house MITRE will launch an experimental federated and fast-processing platform on Monday to address widespread discontent within the security sector revealed by The Register.
The pilot platform will implement a new structure for issuance of Common Vulnerabilities and Exposures numbers. MITRE will directly issue the identifiers.
The revised system will use a new identity number structure that will critics warn will break existing tools designed to work with the current CVE number format.
The CVE numbers are the numerical tags assigned to bugs and are intended to serve as a single source of truth for security companies and engineers as they seek to describe and patch problems.
The platform will exist alongside the current slower but established CVE system.
The Register revealed earlier this month how dozens of high-profile and largely obscure researchers have struggled to obtain CVE numbers for legitimate and dangerous bugs, forcing some to withhold zero days and creating hostility within the MITRE editorial board.
MITRE CVE communications and adoption lead Joe Sain says the federated platform is in response to demand for a faster way of assigning CVE numbers.
Said says "... the traditional operating model for the CVE program has not been able to keep pace with the growing demands of the vulnerability management community."
"In addition, the researcher and discloser communities have identified a need for rapid, early assignments of CVE IDs to enable early-stage vulnerability coordination and mitigation.
"The immediacy of this use case means that the requirement for traditional references and descriptions is, at times, less important than the rapid issuance of unique identifiers."
The federated system will use a new format from Monday following the syntax of CVE-CCCIII-YYYY-NNNN…N ; CCC represents issuing authority’s country, III encodes the issuing authority, YYYY the year, and NNNN the number.
"At its launch, MITRE will be the only issuing authority, but we expect to quickly add others to address the needs of the research and discloser communities, as well as the cybersecurity community as a whole," Sain says.
"This new federated ID system will significantly enhance the early stage vulnerability mitigation coordination, and reduce the time lapse between request and issuance."
Red Hat security man and MITRE board member Kurt Seifried who spoke to The Register earlier this month as part of others warning of the CVE breakdown says tools may have to be re-written to cater for an experimental platform that may be later jettisoned.
"So this breaks every piece of CVE tooling software currently in existence," Seifried says.
"Before the industry collectively puts a few tens or hundreds of thousands of hours of work and quite a lot of money into supporting this is there any guarantee from MITRE that this is a long term project?"
Fellow board member Kent Landfield also standards director of Intel Security agrees, saying the structure will confuse the market.
"This breaks just about everything," Landfield says.
"It would be in the best interest to hold off in my mind since these Ids have no usefulness in product and this will totally confuse the market, researcher and those with operational needs for a consistent CVE."
Sain says the structure will not yet impact current CVE formats, but the latter would eventually be merged should the pilot be a success.
He says MITRE is aiming for automated vulnerability identification, description, and processing, and welcomed input from board members and the security community. ®