Re: Concerns about CVE coverage shrinking - direct impact to researchers/companies

[Tavis Ormandy <taviso () cmpxchg8b com>]

Kurt Seifried <kseifried () redhat com> wrote:

> So I've now heard from several security researchers that they are unable
> to get CVEs for issues that need CVEs (e.g. widely used hardware/software
> with flaws that have real world impacts and need to be properly tracked.
> This has definitely resulted in issues being publicized with no CVE that
> then makes it much harder to track and deal with these issues.
>
> I'm also worryingly hearing about people that may have given up asking for
> CVEs and publicizing their work at all, but of course cannot easily
> confirm this as I don't have any access on insight into what
> cve-assign () mitre org is actually doing/who
> they are talking to.


That's also the case for me, I gave up trying to assign CVE's a long time
ago. It's not that Mitre are not adding value, I can see the benefit of a
carefully curated list. The problem is that they're a big bottleneck in what
is an already painful process. I started the process of becoming a CNA once
to try and alleviate some of the delays, but that process was even more
painful and I gave up after a few months (this was a long time ago).

I'd only start using CVE identifiers again if they're assigned instantly,
and the curation is non-blocking.

Tavis.