Why CVEs Are an Incentives Problem

I've been thinking about some of these unintended consequences in the context of a growing problem faced by all of us in cybersecurity: how a fast-rising tide of software vulnerabilities tracked as common vulnerabilities and exposures - are reported and maintained.
Last year saw a record 28,902 published CVEs - or almost 80 vulnerabilities published every day - representing a 15% increase over 2022.
Some of these software flaws represent a real cost, with two-thirds of security organizations reporting an average backlog of more than 100,000 vulnerabilities, and estimating that due to this overwhelming volume, they're able to patch fewer than half of them.
The increase in published CVEs is just one metric, as not all vulnerabilities receive a CVE, with decisions being left to the software vendor.
In some cases, a software vulnerability is fixed and no CVE is issued.
The growing number of CVEs stems from two factors: We've gotten better at discovering vulnerabilities, and there are insufficient safeguards in place governing the creation and tracking mechanisms for CVEs.
The incentive structure, particularly who is motivated to identify and assign severity to reported vulnerabilities accurately or inaccurately, must also be considered.
Established in 1999 by MITRE, the CVE system serves as a trusted clearinghouse for the security industry, offering a standardized method for identifying and cataloging software vulnerabilities.
By providing unique identifiers for security weaknesses found in commercial and open source software, CVEs enable enterprises and software vendors to effectively prioritize and mitigate vulnerabilities, thereby reducing the opportunity for threat actors to exploit these flaws.
The motivation to discover and report vulnerabilities, driven by the desire for recognition or professional advancement, sometimes results in a focus on quantity over quality of submissions, which can lead to the reporting of trivial or noncritical issues that clutter the system and divert attention from more severe vulnerabilities.
Lack of accountability: The ability to file CVEs anonymously, or with minimal evidence supporting the vulnerability claim, introduces a layer of opacity that can be problematic.
Measuring the wrong metric: The Common Vulnerability Scoring System, which provides a numerical score to indicate the severity of vulnerabilities, has come under criticism for its lack of correlation with the actual risk posed by vulnerabilities in real-world environments.
Because the CVSS score doesn't always accurately reflect the exploitability or impact of a vulnerability within a specific context, we increasingly see situations where high-scoring vulnerabilities may receive undue attention while more critical, exploitable flaws in certain environments often get deprioritized.
Upon closer examination, it turns out that this so-called critical vulnerability isn't a vulnerability at all.
Fixing the Incentive Structure of CVE Reporting Just as a policymaker can nudge citizen behavior by creating or removing certain incentives, we should consider revising the incentive structure of CVE reporting to discourage low-effort reporting of vulnerabilities.
Reward quality over quantity: Implementing rewards based not only on the quantity but the quality and impact of reported vulnerabilities would encourage researchers to focus on exploits that pose a threat in a particular environment.
A reward system focused on higher-quality submissions might better motivate researchers to prioritize vulnerabilities that could potentially impact a large user base or cause widespread disruption and data breaches.
While protecting the identity of researchers, this process would require more substantial proof of a vulnerability's existence and its potential impact before a CVE is assigned.
Redefine the CVSS to reflect real-world risk: Revamping the CVSS to better reflect the real-world risk and exploitability of vulnerabilities would help ensure that designated scores provide more accurate guidance for prioritization.
Incentives undoubtedly play a significant role in motivating individuals and organizations to invest time and resources into finding and disclosing vulnerabilities.


This Cyber News was published on www.darkreading.com. Publication date: Wed, 29 May 2024 14:05:11 +0000


Cyber News related to Why CVEs Are an Incentives Problem

Why CVEs Are an Incentives Problem - I've been thinking about some of these unintended consequences in the context of a growing problem faced by all of us in cybersecurity: how a fast-rising tide of software vulnerabilities tracked as common vulnerabilities and exposures - are reported ...
6 months ago Darkreading.com
Own Company Unveils New Channel Partner Program - Own Company, a leading SaaS data platform, today announced the launch of a global Channel Partner Program aimed at empowering resellers and system integrators to proactively prevent their customers from losing mission-critical data and metadata. With ...
10 months ago Itsecurityguru.org
ChatGPT side-channel attack has easy fix: token obfuscation The Register - In brief Almost as quickly as a paper came out last week revealing an AI side-channel vulnerability, Cloudflare researchers have figured out how to solve it: just obscure your token size. The paper [PDF], from researchers at the Offensive AI ...
9 months ago Go.theregister.com
FISA Section 702 renewal approved by House The Register - Infosec in brief US Congress nearly killed a reauthorization of FISA Section 702 last week over concerns that it would continue to allow warrantless surveillance of Americans, but an amendment to require a warrant failed to pass. Section 702 of the ...
8 months ago Go.theregister.com
Vulnerability Recap 4/15/24: Palo Alto, Microsoft, Ivanti Exploits - Typically, these vulnerabilities result in remote code execution or denial-of-service attacks, posing major dangers to users' data security. Multiple Vulnerabilities Discovered in LG WebOS Smart TVs. Type of vulnerability: Authorization bypass, ...
8 months ago Esecurityplanet.com
US offering $15m for info on ALPHV/Blackcat ransomware crew The Register - Infosec in brief The US government is offering bounties up to $15 million as a reward for anyone willing to help it take out the APLHV/Blackcat ransomware gang. ALPHV has made a habit of going after critical infrastructure targets, and last week ...
10 months ago Go.theregister.com
Vulnerability Handling in 2023: 28,000 New CVEs, 84 New CNAs - The number of organizations named a CVE Numbering Authority and the number of Common Vulnerabilities and Exposures identifiers assigned in 2023 has increased compared to the previous year. According to Jerry Gamblin, principal engineer at Cisco ...
11 months ago Securityweek.com
NIST NVD Disruption Sees CVE Enrichment on Hold - Since February 12, 2024, NIST has almost completely stopped enriching software vulnerabilities listed in its National Vulnerability Database, the world's most widely used software vulnerability database. Tom Pace, CEO of firmware security provider ...
9 months ago Infosecurity-magazine.com
Meet the Ransomware Negotiators - We really thought it'd be really interesting for our listeners to know more about how it works in ransomware response process, how a company decides to pay the ransom, how that process works through a negotiator. I don't believe anybody really starts ...
5 months ago Darkreading.com
It was other crims what did it: SBF off hook for FTX hack The Register - Infosec In Brief The recent indictment of a massive SIM-swapping ring may mean convicted crypto conman Sam Bankman-Fried is innocent of at least one allegation still hanging over his head: The theft of more than $400 million in crypto hacked from ...
10 months ago Go.theregister.com
Toward greater transparency: Unveiling Cloud Service CVEs - Welcome to the second installment in our series on transparency at the Microsoft Security Response Center. In this ongoing discussion, we discuss our commitment to provide comprehensive vulnerability information to our customers. At MSRC, our mission ...
5 months ago Msrc.microsoft.com
Electronic Frontier Foundation - At the end of every year, we look back at the last 12 months and evaluate what has changed for the better for digital rights. While we can be frustrated-hello ongoing attacks on encryption-overall it's always an exhilarating reminder of just how far ...
1 year ago Eff.org
5 Valuable Skills Kids Can Gain by Playing Video Games - Video games come in all shapes and sizes and can be very educational for children of all ages. Video games can provide children with valuable skills that can help them in their everyday lives. From problem-solving abilities to self-control, learning ...
1 year ago Welivesecurity.com
2 Bugs in F5 Asset Manager Allow Full Takeover, Hidden Accounts - Newly discovered vulnerabilities in F5 Networks' BIG-IP Next Central Manager could allow an attacker to gain full control over, and create hidden accounts inside of, any F5-brand assets. BIG-IP is the umbrella for F5's various software and hardware ...
7 months ago Darkreading.com
US DOJ applies carrot-and-stick approach to Foreign Corrupt Practices Act policy - The US Department of Justice has taken a carrot-and-stick approach to its corporate enforcement policy in regard to the Foreign Corrupt Practices Act in an effort to entice companies to self-report when in violation of the FCPA. Assistant Attorney ...
1 year ago Csoonline.com
Cloud-ready and Channel-first - For over 30 years, we've worked hand in hand with the channel to make the digital world a safer place. So we're delighted to receive more recognition of the value we're adding for partners and customers with the release of the latest CRN Cloud 100 ...
1 year ago Trendmicro.com
Why ASPM Requires an Independent Approach: Exploring the Role of ASPM vs. CNAPP | Part 1 - Security Boulevard - Home » Security Bloggers Network » Why ASPM Requires an Independent Approach: Exploring the Role of ASPM vs. Why ASPM Requires an Independent Approach: Exploring the Role of ASPM vs. Why ASPM Requires an Independent Approach: Exploring the Role of ...
2 months ago Securityboulevard.com
How to Identify a Cyber Adversary: Standards of Proof - In cybersecurity, attribution refers to identifying an adversary likely responsible for malicious activity. It is typically derived from collating many types of information, including tactical or finished intelligence, evidence from forensic ...
9 months ago Darkreading.com
Weekly Vulnerability Recap 1/22/24: Chrome, Ivanti, & Citrix - This week's vulnerability news include GitHub credential access, a new Chrome fix, and hidden malware from pirated applications hosted on Chinese websites. Citrix and Ivanti are seeing more problems, too, as more vulnerabilities have cropped up in ...
10 months ago Esecurityplanet.com
Vulnerabilities and exposures to rise to 1,900 a month in 2023: Coalition - Cybersecurity insurance firm Coalition has predicted that there will be 1,900 average monthly critical Common Vulnerabilities and Exposures in 2023, a 13% increase over 2022. The predictions are a part of the company's Cyber Threat Index, which was ...
1 year ago Csoonline.com
The Number of Security Risks to Increase Significantly by 2023 Coalition - According to Cyber insurance firm Coalition, the average monthly critical Common Vulnerabilities and Exposures (CVEs) in 2023 is expected to be 1,900, a 13% increase from 2022. This prediction is based on data collected from the company's active risk ...
1 year ago Csoonline.com
Secure Workload and Secure Firewall: The recipe for a robust zero trust cybersecurity strategy - You hear a lot about zero trust microsegmentation these days and rightly so. While a host-based enforcement approach is immensely powerful because it provides access to rich telemetry in terms of processes, packages, and CVEs running on the ...
1 year ago Feedpress.me
January Patch Tuesday: New year, more Windows bugs The Register - Patch Tuesday Microsoft rang in the New Year with a relatively calm Patch Tuesday: Just 49 Windows security updates including fixes for two critical-rated bugs, plus four high-severity Chrome flaws in Microsoft Edge. None of the January CVEs are ...
11 months ago Go.theregister.com
Thousands of Young People Told Us Why the Kids Online Safety Act Will Be Harmful to Minors - How young people feel about the Kids Online Safety Act matters. These comments show that thoughtful young people are deeply concerned about the proposed law's fallout, and that many who would be affected think it will harm them, not help them. In ...
9 months ago Eff.org
Facebook Is Reportedly Struggling To Detect And Remove Child Abuse Content - Facebook has always had a hard time staying ahead of bad actors seeking to exploit the platform. The degree to which the company allegedly can't keep up is beyond disturbing. According to an explosive report this week from The Wall Street Journal, ...
1 year ago Facecrooks.com

Latest Cyber News


Cyber Trends (last 7 days)


Trending Cyber News (last 7 days)