MITRE fighter says CVE delays are no laughing matter, names bug ROFL in branding protest

AusCERT Security man David Jorm has started giving important bugs names, logos and even websites, because MITRE won't assign them Common Vulnerabilities and Exposures (CVE) numbers.

CVE numbers are the tags assigned to bugs and are designed to help the security industry ensure that they're all fixing the same problem. Jorm, of Console and previously Red Hat, is not alone in being unable to gain CVE from US Government entity MITRE.

His naming efforts are born out of frustration. Dozens of security researchers, some famous and some obscure, tell El Reg reporter they struggle to secure CVEs from MITRE.

Your correspondent is attending the AusCERT conference this week, and numerous researchers have complained of the problem. Yet researchers from prominent technology firms routinely report MITRE is responsive to their requests.

Security types say a 2015 leadership change at MITRE is to blame, coupled with then-manual, email-based bug triage system simply being overwhelmed.

Nevertheless MITRE accepts some of the blame for the backlog of CVEs and failure to assign the digits to important vulnerabilities.

It launched then quickly scrapped a new triage system once hoped to fix the CVE allocation stall after The Register revealed problems with MITRE's CVE system.

Those problems have seen big vulnerabilities going without CVE, while in multiple instances a researcher under the spoof account Justin Timberlake managed to get a CVE number for his deliberately faked and patently junk vulnerability for software that did not exist.

Jorm (@djorm), like most security researchers, is dismissive of badged and bannered security vulnerabilities like Heartbleed, but has adopted the tactic in the hope it increases their prominence and therefore the likelihood of being awarded a CVE number. he also hopes to highlight MITRE's flawed processes.

"I am going to give every vulnerability that I have found a website, name, and a logo," Jorm told AusCERT today.

"I have begun with Rocket Overloaded Flags Liability (ROFL) and PHWNED."

His comedic endeavours are also a bid to draw researchers to the alternative model to MITRE, namely the Distributed Weakness Filing (DWF) project which is the creation of some industry types and MITRE board members.

"The next time you find a bug, include the DWF ID number along with the CVE," Jorm urged.

He also suggested loading the database of the scuppered but lauded Open Source Vulnerability Database into DWF could be a worthy effort for an interested hacker. ®