This article is more than 1 year old

MITRE's bug pilot program fix 'indefinitely' shelved amid criticism

Lack of consultation fingered for CVE allocation disaster

A history of fatigue and failure

Brian Martin, a board member of MITRE and CEO of Attrition.org has been pushing for a solution to vulnerability identification problem for more than a decade.

He and others of the Open Security Foundation have developed the Open Sourced Vulnerability Database, founded in 2002, seating it as an accurate and unbiased repository of vulnerability data.

Martin says it could have been the most comprehensive free vulnerability database if 1000 security professionals offered 15 minutes a week to maintain it.

But the size of the vulnerability cataloguing challenge is considerable. If he were to be handed 100 staff Martin reckons he could catalogue known and public vulnerabilities that are scattered around the web.

Even without the manpower and MITRE money, the database last year catalogued some 6,000 more vulnerabilities than were clocked under CVE, drawing from some 2,000 sources checked weekly and more than 3,000 reviewed once a month.

The concept behind the Foundation was shared with MITRE in 2008 when the US Government agency was urged to look beyond the standard sources and to "aggregate everything".

Martin sees three core flaws with MITRE, namely its old technology, its lack of motivation to innovate under non-compete contracts, and its policy guidelines.

"They are using the same scripts, same process, with all of the old flaws and bottlenecks," Martin told Vulture South.

"In 17 years, they haven't evolved at all … there is no motivation for them to improve if they lack a personal desire to do so.

"They are to the point where they can go a month without replying to us (the editorial board), only to eventually give us a few line generic platitude."

His remarks are echoed by other editorial board members frustrated with a lack of engagement with MITRE and what they say is a history of failure. ®

More about

TIP US OFF

Send us news


Other stories you might like