Title: You Won’t Believe What Experts Are Saying About Reserving A CVE for Vulnerability Discovery and Disclosure!
Introduction: As the world becomes increasingly digital, the need for cybersecurity has become paramount. With the advent of new technologies, there have been new vulnerabilities that hackers and malicious actors can exploit. To address the issue, technology companies and cybersecurity firms work diligently to find and report such vulnerabilities. But to do this, they often rely on a mechanism called a CVE, or Common Vulnerabilities and Exposures. In this article, we’ll delve into what a CVE is and why experts are calling for reserving them for vulnerability discovery and disclosure.
What is a CVE? A CVE is a dictionary of publicly disclosed cybersecurity vulnerabilities and exposures. It is maintained by MITRE Corporation and serves as a unique identifier for cybersecurity issues. For example, if a cybersecurity firm finds a vulnerability in a product, they can report it to the vendor or the CVE project, who will then give it a unique CVE ID. This allows for easy tracking and referencing of vulnerabilities.
Why reserve CVEs for vulnerability discovery and disclosure? As the number of digital devices we use and rely on increases, so does the number of vulnerabilities. In 2020 alone, over 18,000 CVEs were reported, indicating a rising need for cybersecurity vigilance. However, not all CVEs are created equal. Some are reserved for internal use, while others are reserved for products that are not actively supported, among other reasons. This has sparked debate among cybersecurity experts, who argue that CVEs should be reserved solely for vulnerability discovery and disclosure.
The argument for this is that reserving CVEs for vulnerability discovery and disclosure would improve transparency, accountability, and security. By doing so, vendors and customers alike would be better informed about the specific cybersecurity risks associated with a product. Moreover, it would allow for more efficient and effective vulnerability management, which, in turn, would lead to a more secure digital ecosystem.
Conclusion: As we continue to rely on digital technology, the cybersecurity landscape will evolve rapidly. By reserving CVEs for vulnerability discovery and disclosure, we can ensure that we are better equipped to tackle the challenges posed by new vulnerabilities. It is up to all of us to play our part in securing the digital world we live in, and reserving CVEs for their intended use is one of the many steps we can take towards that end.
The CVE reservation process
The researcher that discovers a vulnerability has the ability to reserve a CVE. If you believe that you’ve discovered a new vulnerability, you can reserve a CVE through the following process.
1. Verify that a CVE ID is needed
A CVE is appropriate if a vulnerability has been detected in software. To be considered a vulnerability, some exploitable code must pose a threat to the confidentiality, integrity or availability of the software or the data that it processes. Additionally, to fix this issue, some modification in the code or specifications is required. If a CVE is appropriate, the next step is verifying that one does not already exist for the CVE in question. This can be accomplished via a keyword search on the CVE website.
2. Contact the affected vendor
Working with the affected vendor is highly recommended as part of the vulnerability disclosure process. Irresponsible disclosure of a vulnerability without a “good faith” effort to contact the vendor and allow a patch to be released places users of the affected process at risk. MITRE recommends the following steps for working with the vendor:
Contact the vendor’s security contact (if available) or technical support. Provide a full description of the vulnerability in question, steps for exploitation, and proof of concept (if available). Allow five business days for the vendor to respond. An auto-reply message does not count as a response. Work with the vendor to correct the issue. This may include additional explanations, further analysis of the vulnerability, patch testing and accuracy checks of both your and the vendor’s advisories. If the five-day window expires with no response, reach out to a third-party “coordinator”, such as CERT/CC. These coordinators may have connections that improve their ability to receive a response. If the vendor and an established response team (such as CERT/CC) will not issue an advisory, publish to a public forum that allows community validation. Options include the Bugtraq and Full-Disclosure mailing lists or Exploit-DB and Packet Storm sites.
Public vulnerability disclosures — especially ones with details of the vulnerability and its disclosure — should not be released until a patch has been made available and system administrators have an opportunity to apply it. If a vendor is moving too slowly or resisting patching, reach out to CERT/CC or other coordinators.
3. Work with a CNA
A CVE Numbering Authority (CNA) is an organization that can assign CVE numbers. To reserve a CVE number, reach out to one of the following (in order of preference):
Vendor CNA: Some software vendors act as CNAs for their own software. If a vulnerability is discovered in one of these vendors’ products, reach out to their CNA contact. Third-party coordinators or email lists: If no vendor CNA is available, reach out to a CVE coordinator (like CERT/CC) or post on a mailing list like Bugtraq or OSS Security. After the vulnerability has been validated, it will be assigned a CVE. Root CNAs: If no CVE is assigned after following the methods above, reach out to one of the CVE Program Root CNAs to request a CVE. This can be accomplished via the online CVE Request Form.
To determine the appropriate CNA to contact and the organization’s POC for CNAs, visit MITRE’s list of CNAs. After requesting a CVE, you should be contacted by the CNA. Respond to any requests for clarification or additional detail. At the end of the process, a CVE number should either be assigned or the request will be officially rejected (with a rationale). If a CVE is assigned, it will be officially listed as “Reserved” until step 5 is completed.
4. Share the CVE with others
If a CVE has been assigned, it should be shared with the vendor and any other parties involved in the process. This helps to ensure that multiple CVEs are not assigned by different CNAs for the same vulnerability.
5. Public vulnerability disclosure
When appropriate, make a public disclosure of the vulnerability. In the announcement, clearly associate all assigned CVEs with the associated vulnerability. This is especially important if multiple CVEs are included in a single disclosure as system administrators need to know where on the CVE List to go for more information on a particular issue. After publishing a disclosure, notify the CVE team via the CVE Request form (“Notify CVE about a publication” option). This notifies the CVE team to change the CVE record from “Reserved” to including information about the vulnerability on the page.
Responsible vulnerability management
If you have discovered a legitimate vulnerability, you deserve credit for doing so. Registering for a CVE provides official recognition of your discovery. It is also important to ensure that vulnerabilities are corrected by the vendor; however, it is vital to do so responsibly. If a vendor ignores attempts at contact or refuses to issue a patch, always go through the proper channels (contacting CERT/CC or similar) before publicly exposing the vulnerability. While “name and shame” may be the only way to push some vendors into disclosure and issuing patches, doing so prematurely without exploring the options doesn’t just hurt the vendor. It also places any users of the vulnerable software at risk of exploitation with no ability to fix the issue. Sources Search CVE List, CVE Submit a CVE Request, CVE Request CVE IDs, CVE
