"His analysis cites academic research published in August as part of the USENIX Security Symposium. The paper, "Confusing Value with Enumeration: Studying the Use of CVEs in Academia," (Moritz Schloegel et al.), reports that 34 percent of 1,803 CVEs cited in research papers over the past five years either have not been publicly confirmed or have been disputed by maintainers of the supposedly vulnerable software projects. The authors argue that CVEs should not be taken as a proxy for the real-world impact of claimed vulnerabilities."
"CNAs may be companies, open source maintainers, foundations, service providers, vulnerability researchers, national computer security incident response teams (CSIRTs), and others. CNAs may also delegate CVE assignment to a CNA-LR - that is, a CVE Numbering Authority of Last Resort - such as Red Hat, which can assign CVEs and publish details outside of its scope, on behalf of a CNA."
Thirty-four percent of 1,803 CVEs cited in research papers over five years were not publicly confirmed or were disputed by software maintainers, reducing CVE reliability as a proxy for real-world impact. CVE identifiers are issued when a security researcher discloses a vulnerability to a CVE Numbering Authority (CNA), which is expected to verify submissions, assign numbers, and publish details. CNAs include companies, open-source maintainers, foundations, service providers, vulnerability researchers, and national CSIRTs, and assignment can be delegated to CNA-LRs such as Red Hat. Misaligned incentives exist: researchers seek many CVEs to build reputations while product CNAs have little motivation to expose flaws in their own software. Vulnerability rating systems and threat-risk assessment methods require overhaul.
Read at Theregister
Unable to calculate read time
Collection
[
|
...
]