MITRE's bug pilot program fix 'indefinitely' shelved amid criticism
Lack of consultation fingered for CVE allocation disaster
A pilot project launched by vulnerability handler MITRE to address stagnation in the assignment of bug identification numbers has been shelved less than a day after its announcement and before its scheduled launch today.
The pilot was devised in response to complaints by security researchers and MITRE board members about the stalled allocation of CVE numbers.
As detailed by The Register, dozens of security researchers have struggled to gain Common Vulnerabilities and Exposures (CVE) numbers for their discovered vulnerabilities in what they say impacts broader security.
The MITRE website now bears a warning to visitors that it is experiencing "unprecedented demand for vulnerability IDs" and that it will work with the editorial board for a solution.
The pilot was rapidly spun up as a fix to address gaps in the CVE allocation scheme by accelerating the issuance of numbers under a revised naming schema planned to run in parallel with CVE.
It received swift criticism on grounds it was developed without consultation and would confuse the market, break existing tools, and ultimately fail to speed up allocation.
Mitre will hold an editorial meeting to discuss the future of the CVE system. The Register understands an announcement is due within a week but just what any new scheme will offer is unknown.
MITRE CVE communications and adoption lead Joe Sain said the pilot would be placed on "indefinite hold".
"A number of concerns with the proposed syntax were raised, and we heard them clearly ...we will not move forward with a public announcement of the pilot plan, which we are putting on indefinite hold," Sain says.
"The pilot described yesterday was designed to run in parallel and to be completely separate from the production CVE stream, but we certainly understand the importance of not perturbing any operating aspect of CVE.
"... we are looking forward to developing an operating model that enables CVE to move forward and that preserves the foundational work that the community has put into the effort."
MITRE editorial board members were quick to criticise the pilot federated platform. Kent Landfield also of Intel said the pilot "breaks just about everything" adding his earlier suggestion that a federated platform be considered should have been developed with the board.
"... I and others that have operational responsibility for using and distributing CVEs [thought we] would have some say in what it looked like," Landfield says.
"It would be in the best interest to hold off in my mind since these (pilots) IDs have no usefulness in product and this will totally confuse the market, researchers, and those with operational needs for a consistent CVE."
The remarks are echoed by another board member Kurt Seifried, of RedHat, who says he has struggled to push for an overhaul of the CVE system.