Closing the CVE gap: Is MITRE up to it?

Critics say the The Common Vulnerabilities and Exposures (CVE) program, managed by MITRE, is falling far behind in its mission to catalog and identify all known vulnerabilities. Its defenders say a new model is closing that gap.

computer programmer or hacker

It would be hard to dispute that the Common Vulnerabilities and Exposures (CVE) program is a great concept: a “dictionary” of all known vulnerabilities in publicly released software or firmware so organizations can know what risks they are facing.  There is much dispute, however, 18 years after the nonprofit research and development organization MITRE launched the program, about how well it is working.

According to a number of critics, it’s not doing very well. Joshua Corman, a founder of I Am The Cavalry and director of the Cyber Statecraft Initiative for the Atlantic Council, said in a keynote at the SOURCE Boston conference in April that identifying and cataloging CVEs has fallen behind – way behind.

“For all vulnerabilities disclosed anywhere, commercial databases currently track about 80 percent. CVE tends to have 60 percent of that 80 percent,” he said. “So when you make a risk decision, you’re doing it with a blind spot of about 50 percent. This is a too-big-to-fail thing. It’s like our bridges and tunnels collapsing,” he said, adding, “It is about to get a lot worse,” thanks to the continuing explosion of devices and accompanying vulnerabilities that comprise the Internet of Things (IoT).

CSO’s Steve Ragan, in a Salted Hash post last September, noted that, “the CVE system is faced with bottlenecks and coverage gaps, as thousands of vulnerabilities go without CVE-ID assignments. “These gaps are leaving business leaders and security teams exposed to vulnerabilities that their security products, which rely on CVE-IDs to function and assess risk, don't even know exist in some cases,” he wrote.

Some members of the CVE Board – which includes 25 members from multiple segments of the cybersecurity community – are critical as well. Brian Martin, vice president of vulnerability intelligence at Risk Based Security and an independent member of the board, says that according to a vulnerability database his firm compiled, the gap is not as extreme as Corman estimates, but is still significant.

To continue reading this article register now

The 10 most powerful cybersecurity companies