The backlog has even gotten the attention of Congress. The chairmen of the House Energy and Commerce Committee and three of its subcommittees sent letters dated March 30 to MITRE, which continues to oversee the program. The Department of Homeland Security (DHS), which funds it, suggested that MITRE should have anticipated the growth in vulnerabilities, and asked what they are going to do about it.
“The explosion of connected devices and services that has been associated with the CVE program’s shortcomings, while rapid, did not occur overnight,” the letter to MITRE said.
“In light of this, we seek to understand how MITRE and the CVE program failed to anticipate and prepare for this growth … and what more may be done to ensure this program can more effectively serve its essential mission.”
While the committee wants to understand it, so far it apparently doesn’t want the public to understand it, even though the program is taxpayer funded. The letters asked for responses by April 13, but the committee has not yet made public any further information on communications with either MITRE or DHS. Dan Schneider, a spokesman for the committee, says MITRE has responded, but he declined to discuss it or anything about the program for the record.
Lucy Martinez, of the DHS public affairs office, says, “we do not comment on congressional correspondence and will respond directly to the members.” She did not respond to a request simply to see the MITRE response. Also, neither MITRE nor DHS would say what is the annual funding of the program. Ragan reported it was $1.2 million in 2006.
Regarding complaints of thousands of vulnerabilities still without IDs, Jennifer Lang, a spokeswoman for MITRE, says the CVE program, “assigns a number to 100 percent of the vulnerabilities of which we are aware and that meet our definition of a vulnerability. There are also an unknown number of vulnerabilities in the cyber ecosystem that could be assigned,” she says. “The challenge is that we can’t quantify that number in percentage terms because they have not been disclosed to the CVE program.” Lang adds that, “there is no single or universally accepted way to count vulnerabilities, and different organizations define and count vulnerabilities differently.”
That troubles Martin. “I fully believe that responses should be a matter of public record, given the embedded nature of the CVE program,” he says. “The 'stakeholders' in CVE, as they call them, or ‘consumers’ as I do, should understand what MITRE is doing to address the issues.”
The program’s defenders, however, say things are improving and have been for the past 15 months. They credit what they call a “federated system,” which has enlisted dozens more organizations as CNAs (CVE Numbering Authorities) – 62 at current count – to identify new vulnerabilities and assign ID numbers to them.
Sign up for CIO Asia eNewsletters.