Concerns have been raised that the DWF project is causing “confusion” in the community

CVE slams DWF project for publishing CVEs

The board responsible for overseeing the CVE vulnerability identification program has criticized the DWF project for publishing what it says are “unauthorized” CVE records.

The Common Vulnerabilities and Exposures (CVE) system is a widely used program for cataloging and tracking security vulnerabilities.

Due to the countless vulnerabilities found and reported every day, the Mitre Corporation’s CVE board authorizes organizations to act as CVE Numbering Authorities (CNAs) which are permitted to assign CVE numbers for bugs.

Clearing the backlog

The CVE system aims to provide organizations, researchers, and security specialists the means to track and remedy vulnerabilities, with each disclosed security bug receiving a unique identifier.

However, the CVE process has not been without criticism.

As far back as 2016, Mitre came under fire for alleged backlogs in CVE assignments, leading to concerns that the program – called by some a “cornerstone” of the industry – could become less relevant in the fight against cybersecurity threats in the future.

RELATED CNAs and CVEs – Can allowing vendors to assign their own vulnerability IDs actually hinder security?

These complaints led to the creation of the Distributed Weakness Filing (DWF) system.

Co-founded by Kurt Seifried and Josh Bressers, DWF is a community-based open source project described as an effort to “modernize and improve the security identifier ecosystem”.

The DWF project says that the point of the exercise is to address pain points in the CVE assignment process, as well as improving speed, latency, and volume with the assistance of automation.

The CVE program is overseen and operated by Mitre Corporation

Mistaken identity

There are currently 169 registered CNAs worldwide. The DWF was previously a CNA but no longer acts in this capacity.

Additionally, Seifried resigned from his position as a CVE board member in January 2021 due to “a lack of innovation and forward movement”.

DWF has previously said that in order to prevent overlaps between itself and the CVE project, the numbers is assigns to vulnerabilities started in the 1000000+ range in the past – and as legacy CVE assignments top out at roughly 17,000 CVEs per year, clashes and confusion should not occur.

If existing CNAs began publishing 100,000 CVEs or more on a frequent basis, for example, the DWF said it would move to the 2000000+ range to maintain “significant buffer space”.

“This is trivially achieved as the CVE identifier includes the year allowing changes to be made trivially every year,” Seifried says. “This process can of course be repeated assuming legacy CVE assignments grow rapidly.”

However, this does not appear to have placated the CVE board, which includes representatives from numerous cybersecurity vendors, academic, researchers, government departments and agencies, and other prominent security experts.

Confusion in the community

On May 27, the organization said the DWF project is not following established CVE program rules, and therefore, any CVE assignments issued by it are not valid and will not be included in the main CVE list.

The organization claims the DWF has been causing “confusion” in the community by “infringing on the CVE namespace by issuing IDs using the CVE Program syntax in the CVE-2021-xxxxxxx (million) range”.

“The CVE Board wants to make this clear to community stakeholders to eliminate the confusion caused by the unauthorized use of the CVE namespace,” it said.

The issue has not been resolved, and on April 2 a further message from the CVE board, directly addressed to the DWF’s co-founders, was published online.

RECOMMENDED Google Chrome Web Store is ranking suspicious web extensions above popular plugins

The organization claims that the DWF has begun “attempting” to issue CVE IDs via its GitHub repository, and that at least eight records have been pushed. But as the project is not a named or approved CNA, issuing CVE IDs is causing “confusion in the CVE contributor and user communities”.

Furthermore, the group says that this activity – no matter the numbering order used – could “undermine public trust in the entire CVE system”.

“This erosion of trust degrades the CVE community’s ability to provide a free public resource to track vulnerabilities and reduce cybersecurity risk,” the statement reads.

To push the matter from the realm of confusion into the legal, the CVE board also says that issuing unauthorized CVE IDs is a “misappropriation” of the CVE brand, unfair competition, and may allegedly be an abuse of a “registered trademark of the Mitre Corporation”.

The CVE board has invited DWF to re-apply for CNA status, but in the meantime asks that DWF should cease issuing CVE IDs and “rename all current and future IDs that DWF issues”.

The organization told The Daily Swig that the CVE board has been in “direct communication with DWF as well as the broader community regarding DWF’s activities”.

Mitre declined to comment further. Seifried pointed us to the DWF press pack, which was updated at the time of enquiry.

INTERVIEW ‘Being serious about security is a must’ – Apache Software Foundation custodians on fulfilling its founding mission