Seifried said CVE uses a claims-based model, which is summarized in part of a transcript from a board teleconference last year: “CVE IDs will now be given in cases where a researcher finds a flaw or design oversight in software, even though it may not be seen as a vulnerability by the vendor. The researcher may be asked to provide evidence of a demonstrated negative impact, such as an example/scenario where the flaw is exploitable.”
He added that, “the stronger the claim, the more likely it is to get a CVE.” If it comes from an established vendor like Red Hat, “then we generally believe them. The same goes for well-known security research companies like a Qualys, and individuals like (white-hat hacker) Tavis Ormandy and others. “There is also a dispute process and a reject process in case the veracity of the CVE comes into question.
Does the CVE List contain all known vulnerabilities and exposures?
No, and there is some debate about what percent it does include. According to CVE, the goal of the program is to be “comprehensive.” Estimates of what percentage are missing from the list range from about a third to nearly half. MITRE declined to say what it believes the gap is, because there is no universally accepted way to count them.
How can CVE help protect networks?
By using the CVE ID for a particular vulnerability or exposure, organizations can quickly and accurately obtain information from a variety of CVE-Compatible information sources. By facilitating better comparisons between different security tools and services, CVE can help an organization choose what are the most appropriate for its needs.
Using CVE-Compatible products and services also helps improve responses to security advisories. If the advisory is CVE-Compatible, organizations can see if their scanners or security services check for this threat and then determine whether their intrusion detection systems have the appropriate attack signatures. For those that build or maintain systems for customers, the CVE compatibility of advisories will help directly identify any fixes from the vendors of the commercial software products in those systems. That also requires the vendor fix site to be CVE-Compatible.
Sign up for CIO Asia eNewsletters.