The National Vulnerability Database (NVD) is a US government-funded resource that does exactly what the name implies-acts as a database of vulnerabilities in software. It operates as a superset of the Common Vulnerabilities and Exposures (CVE) system, operated by the non-profit Mitre Corporation, with additional government funding. For years, it has been good enough—while any organization or process has room to be made more efficient, curating a database of software vulnerabilities reported through crowdsourcing is a challenging undertaking.
Risk Based Security, the private operator of competing database VulnDB, aired their grievances with the public CVE/NVD system in their 2018 Vulnerability Trends report, released Wednesday, with charged conclusions including “there is fertile grounds for attorneys and regulators to argue negligence if CVE/NVD is the only source of vulnerability intelligence being used by your organization,” and “organizations are getting late and at times unreliable vulnerability information from these two sources, along with significant gaps in coverage.” This criticism is neither imaginative, nor unexpected from a privately-owned competitor attempting to justify their product.
SEE: SMB security pack: Policies to protect your business (Tech Pro Research)
In fairness to Risk Based Security, there is a known time delay in CVSS scoring, though they overstate the severity of the problem, as an (empirical) research report finds that “there is no reason to suspect that information for severe vulnerabilities would tend to arrive later (or earlier) than information for mundane vulnerabilities.”
Mitre adopted a federated model for reporting in 2018, that directs CVE Numbering Authorities to rely on product vendors and researchers for determining if an issue requires a CVE, and allows those parties to propose the official description for issues. This, according to Risk Based Security, resulted in Mitre “[applying] no editorial standards,” leading to “simple typographical errors” and reports that do not indicate “the responsible vendor or impacted product.”
Private databases do not offer better editorial control
Risk Based Security claims VulnDB had 22,022 vulnerabilities published in 2018, which is a “6.4% increase or nearly a 1.0% decrease from 2017,” in an awkward tale of vulnerability superposition—the company notes that the numbers are figured by discovery date, not disclosure date. This makes the concept of a “yearly total” a moving target—either a pained understanding of statistics, or an intentionally obtuse presentation of those statistics. Of that total, VulnDB is claimed to have 6,780 more vulnerabilities than CVE/NVD in 2018, though the value of that figure is specious. (NVD claims 16,517 vulnerabilities in 2018, which would make VulnDB have only 5,505 more vulnerabilities.)
The report claims that “It is important that vulnerability intelligence and statistics, including those contained in this report, be presented in a clear, responsible, and standardized manner with the appropriate definitions, disclaimers, and notes. With full disclosure in mind, VulnDB counts only distinct vulnerabilities. Meaning, if a product includes vulnerable code from third-party dependencies it is not treated as a new vulnerability.” It is unclear if Risk Based Security actually adheres to this standard, as analysis in the report conflates duplicate vulnerabilities by vendor.
When and why a vulnerability does not receive a CVE assignment
There are valid reasons for vulnerabilities to not receive an individual CVE assignment, the most visible of which relate to partially duplicated work. This happened frequently in the wake of the Spectre and Meltdown vulnerabilities disclosed in January 2018, where further research into vulnerabilities surfaced a variety of different strategies to leverage a specific flaw, but were not themselves new vulnerabilities. Variants of Meltdown, including SGXSpectre, were denied CVEs for this reason.
A better case for more funding of CVE/NVD
The report inadvertently makes a better case for allocating more funds to CVE/NVD to enable those organizations to provide better editorial control over their shared database to ensure that vulnerabilities receive proper classifications and descriptions. Hiding vulnerability information behind a paywall makes the entire technology ecosystem—including devices not connected to the internet—less safe.
Fundamentally, reports such as this and security vulnerabilities themselves are aggregate information, which makes the prospect of privatization a particularly pernicious one—the responsibility of cataloging this information should be shared between product vendors, security researchers, and non-profit or government stakeholders and security services.