Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Closing the CVE gap: Is MITRE up to it?

Taylor Armerding | July 11, 2017
Critics say the The Common Vulnerabilities and Exposures (CVE) program, managed by MITRE, is falling far behind in its mission to catalog and identify all known vulnerabilities. Its defenders say a new model is closing that gap.

Assigning IDs to 10,000 to 14,000 vulnerabilities in a year, “is going to be an order of magnitude too low. The problem is passing human scale,” he says, “so the only way to address it is with automation.” But, he is also optimistic because he is on one of the working groups created by the CVE Board that is devoted to bringing automation into the ID process.Also, “there are signs that the federated system is working, although it’s too early to tell” about the long-term, he says.

According to Martin, success in the long term will also depend on doing the basics. “I believe MITRE uses too much of the taxpayer funding for administrative positions, rather than more personnel that directly support the database,” he says.

“They certainly need to implement a better quality assurance process on existing entries. They need to agree on the current assignment standards, hold CNAs accountable, and most importantly hold themselves accountable to follow the standards.”


Previous Page  1  2  3  4 

Sign up for CIO Asia eNewsletters.