Sign in / up

back to article MITRE rolls out new CVE system after Reg reveal

Vulnerability clearing house MITRE will launch an experimental federated and fast-processing platform on Monday to address widespread discontent within the security sector revealed by The Register. The pilot platform will implement a new structure for issuance of Common Vulnerabilities and Exposures numbers. MITRE will …

COMMENTS

Post your comment
House rules Send corrections
Add to 'My topics' unstar *
  1. brotherelf

    Help my poor old brain,

    but didn't they (at least attempt to) change the format about two or three years back already? I vaguely recall discussions along the line of "Will making parts of the number hex break more things than giving it more digits?"

    0 0 Reply
    1. djack
      Reply Icon

      Re: Help my poor old brain,

      Yep. They changed the number from being four digits to allowing it to overflow to five (or more) digits when needed.

      0 0 Reply
  2. Anonymous Coward
    Anonymous Coward

    how does issuing country have any bearing?

    How will this be an advantage on the old CVE system, which (as others have rightly pointed out) was already changed a few years back. Not to mention this will break most CVE search functions..... the old system was fine for researchers, all we wanted is they actually deliver the references faster....... not change the referencing system. Also - what happens to current CVE numbering authorities? I assume a lot of them will have to modify their back-end to deal with the new numbering.....

    1 0 Reply
  3. Keith Glass

    And of course. . . .

    . . . any software that tracks vulnerabilities, now has to have, at minimum, a new schema for the added 6 characters, likely as two fields. . .

    0 0 Reply
  4. CalliOpe

    just don't call this new thing "CVE"

    When a CVE might affect my shop, I'm not allowed to go home until I

    create a ticket saying what we're doing about it. My Pointy Haired

    Boss won't ever understand that CVE-CCCIII-YYYY-NNNN is different than

    CVE-YYYY-NNNN. So basically I'm screwed. I'm totally fine with Mitre

    giving out a number whenever anyone claims anything is a security bug,

    even if the disclosure makes no sense, AS LONG AS IT ISN'T A CVE

    NUMBER. How about Mitre Universal Disclosure Preliminary Identifier

    Enumeration, like MUDPIE-2016-0001?

    0 0 Reply
  5. EnviableOne
    Megaphone

    Get Ahold of yourselevs MITRE

    who cares who issues it and in what country, people just want numbers.

    So instead of comming up with hairbraind new formats, give people numbers !

    and if you dont have the people to do it, let other people give out numbers !

    0 0 Reply

POST COMMENT House rules

Not a member of The Register? Create a new account here.

Forgotten password ?

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like