Assigning IDs to 10,000 to 14,000 vulnerabilities in a year, “is going to be an order of magnitude too low. The problem is passing human scale,” he says, “so the only way to address it is with automation.” But, he is also optimistic because he is on one of the working groups created by the CVE Board that is devoted to bringing automation into the ID process.Also, “there are signs that the federated system is working, although it’s too early to tell” about the long-term, he says.
According to Martin, success in the long term will also depend on doing the basics. “I believe MITRE uses too much of the taxpayer funding for administrative positions, rather than more personnel that directly support the database,” he says.
“They certainly need to implement a better quality assurance process on existing entries. They need to agree on the current assignment standards, hold CNAs accountable, and most importantly hold themselves accountable to follow the standards.”
Sign up for CIO Asia eNewsletters.