I've been thinking about some of these unintended consequences in the context of a growing problem faced by all of us in cybersecurity: how a fast-rising tide of software vulnerabilities tracked as common vulnerabilities and exposures - are reported and maintained.
Last year saw a record 28,902 published CVEs - or almost 80 vulnerabilities published every day - representing a 15% increase over 2022.
Some of these software flaws represent a real cost, with two-thirds of security organizations reporting an average backlog of more than 100,000 vulnerabilities, and estimating that due to this overwhelming volume, they're able to patch fewer than half of them.
The increase in published CVEs is just one metric, as not all vulnerabilities receive a CVE, with decisions being left to the software vendor.
In some cases, a software vulnerability is fixed and no CVE is issued.
The growing number of CVEs stems from two factors: We've gotten better at discovering vulnerabilities, and there are insufficient safeguards in place governing the creation and tracking mechanisms for CVEs.
The incentive structure, particularly who is motivated to identify and assign severity to reported vulnerabilities accurately or inaccurately, must also be considered.
Established in 1999 by MITRE, the CVE system serves as a trusted clearinghouse for the security industry, offering a standardized method for identifying and cataloging software vulnerabilities.
By providing unique identifiers for security weaknesses found in commercial and open source software, CVEs enable enterprises and software vendors to effectively prioritize and mitigate vulnerabilities, thereby reducing the opportunity for threat actors to exploit these flaws.
The motivation to discover and report vulnerabilities, driven by the desire for recognition or professional advancement, sometimes results in a focus on quantity over quality of submissions, which can lead to the reporting of trivial or noncritical issues that clutter the system and divert attention from more severe vulnerabilities.
Lack of accountability: The ability to file CVEs anonymously, or with minimal evidence supporting the vulnerability claim, introduces a layer of opacity that can be problematic.
Measuring the wrong metric: The Common Vulnerability Scoring System, which provides a numerical score to indicate the severity of vulnerabilities, has come under criticism for its lack of correlation with the actual risk posed by vulnerabilities in real-world environments.
Because the CVSS score doesn't always accurately reflect the exploitability or impact of a vulnerability within a specific context, we increasingly see situations where high-scoring vulnerabilities may receive undue attention while more critical, exploitable flaws in certain environments often get deprioritized.
Upon closer examination, it turns out that this so-called critical vulnerability isn't a vulnerability at all.
Fixing the Incentive Structure of CVE Reporting Just as a policymaker can nudge citizen behavior by creating or removing certain incentives, we should consider revising the incentive structure of CVE reporting to discourage low-effort reporting of vulnerabilities.
Reward quality over quantity: Implementing rewards based not only on the quantity but the quality and impact of reported vulnerabilities would encourage researchers to focus on exploits that pose a threat in a particular environment.
A reward system focused on higher-quality submissions might better motivate researchers to prioritize vulnerabilities that could potentially impact a large user base or cause widespread disruption and data breaches.
While protecting the identity of researchers, this process would require more substantial proof of a vulnerability's existence and its potential impact before a CVE is assigned.
Redefine the CVSS to reflect real-world risk: Revamping the CVSS to better reflect the real-world risk and exploitability of vulnerabilities would help ensure that designated scores provide more accurate guidance for prioritization.
Incentives undoubtedly play a significant role in motivating individuals and organizations to invest time and resources into finding and disclosing vulnerabilities.
This Cyber News was published on www.darkreading.com. Publication date: Wed, 29 May 2024 14:05:11 +0000