Membership
Join as an Organization
Enterprises
Solution Providers
Contact Us
Current Members
Member Portal
Initiatives & Partnerships
AI Safety Initiative
CxO Trust
Zero Trust Advancement Center
Trusted Cloud Providers
Trusted Cloud Consultant
Other Opportunities
Event Sponsorships
Join as Individual
Chapters
Circle Community Forum
Research Working Groups
Volunteer Opportunities
STAR Program
STAR Home
STAR Registry
Submit to Registry
Provide Feedback
Certified STAR Auditors
STAR Enabled Solutions
Stay compliant in the cloud
CCAK Training
STAR Lead Auditor Training
Training for Government Agencies
Governance, Risk & Compliance Tools
Cloud Controls Matrix (CCM)
Consensus Assessment Initiative Questionnaire (CAIQ)
EU Cloud Code of Conduct
STAR Level 1
At level one organizations submit a self-assessment.
View companies at level one
Learn about level one
STAR Level 2
At level two organizations earn a certification or third-party attestation.
View companies at level two
Learn about level two
Certificates & Training
Online Education Platforms
Knowledge Center
CSA Exams
Events
Learn and network while you earn CPE credits.
Virtual Events & Webinars
Event Sponsorships
Certificates
Certificate of Cloud Security Knowledge (CCSK)
Certificate of Cloud Auditing Knowledge (CCAK)
Certificate of Competence in Zero Trust (CCZT)
Digital Badges
Trainings
Cloud Infrastructure Security Training
STAR Lead Auditor Training
Advanced Cloud Security Practitioner (ACSP) Training
CCSK Train the Trainer
Training Network
Become an Instructor
Become a Training Partner
Specialized Training Options
Train my entire team
Training for Government Agencies
Research
CSA Research
Latest Research
Working Groups
Open Peer Reviews
Research Topics
Strategic Initiatives
AI Safety Initiative
Zero Trust Advancement Center
CxO Trust
Trusted Cloud Consultant
FinCloud Security
Thought Leadership
CloudBytes Webinars
Blog
Getting Started with CSA Research
Cloud security best practices
Assess your cloud compliance
Security questionnaire for vendors
Top threats to cloud computing
Cloud Security Glossary
Awards & Recognition
Juanita Koilpillai Awards
Research Fellows
Critical Topics
AI Safety Initiative
AI Technology and Risk
AI Governance & Compliance
AI Controls
AI Organizational Responsibilities
Enterprise Architecture
Blockchain
Zero Trust
DevSecOps
Top Threats
Membership
Join as an Organization
Enterprises
Solution Providers
Contact Us
Current Members
Member Portal
Initiatives & Partnerships
AI Safety Initiative
CxO Trust
Zero Trust Advancement Center
Trusted Cloud Providers
Trusted Cloud Consultant
Other Opportunities
Event Sponsorships
Join as Individual
Chapters
Circle Community Forum
Research Working Groups
Volunteer Opportunities
STAR Program
STAR Home
STAR Registry
Submit to Registry
Provide Feedback
Certified STAR Auditors
STAR Enabled Solutions
Stay compliant in the cloud
CCAK Training
STAR Lead Auditor Training
Training for Government Agencies
Governance, Risk & Compliance Tools
Cloud Controls Matrix (CCM)
Consensus Assessment Initiative Questionnaire (CAIQ)
EU Cloud Code of Conduct
STAR Level 1
At level one organizations submit a self-assessment.
View companies at level one
Learn about level one
STAR Level 2
At level two organizations earn a certification or third-party attestation.
View companies at level two
Learn about level two
Certificates & Training
Online Education Platforms
Knowledge Center
CSA Exams
Events
Learn and network while you earn CPE credits.
Virtual Events & Webinars
Event Sponsorships
Certificates
Certificate of Cloud Security Knowledge (CCSK)
Certificate of Cloud Auditing Knowledge (CCAK)
Certificate of Competence in Zero Trust (CCZT)
Digital Badges
Trainings
Cloud Infrastructure Security Training
STAR Lead Auditor Training
Advanced Cloud Security Practitioner (ACSP) Training
CCSK Train the Trainer
Training Network
Become an Instructor
Become a Training Partner
Specialized Training Options
Train my entire team
Training for Government Agencies
Research
CSA Research
Latest Research
Working Groups
Open Peer Reviews
Research Topics
Strategic Initiatives
AI Safety Initiative
Zero Trust Advancement Center
CxO Trust
Trusted Cloud Consultant
FinCloud Security
Thought Leadership
CloudBytes Webinars
Blog
Getting Started with CSA Research
Cloud security best practices
Assess your cloud compliance
Security questionnaire for vendors
Top threats to cloud computing
Cloud Security Glossary
Awards & Recognition
Juanita Koilpillai Awards
Research Fellows
Critical Topics
AI Safety Initiative
AI Technology and Risk
AI Governance & Compliance
AI Controls
AI Organizational Responsibilities
Enterprise Architecture
Blockchain
Zero Trust
DevSecOps
Top Threats
Cloud 101CircleEventsBlog
Master CSA’s Security, Trust, Assurance, and Risk program—download the STAR Prep Kit for essential tools to enhance your assurance!

A Vulnerability Management Crisis: The Issues with CVE

Published 11/21/2024

Home
Industry Insights
A Vulnerability Management Crisis: The Issues with CVE

For decades, the cybersecurity industry has relied on the Common Vulnerabilities and Exposures (CVE) program to standardize vulnerability documentation and guide threat intelligence. The program assigns a unique identifier to each discovered security vulnerability. Then, it ranks the vulnerability's severity using the Common Vulnerability Scoring System (CVSS).

publication cover

Despite the widespread reliance on CVE, the system has had few updates over the many years that it has existed. We have found that the increasing complexity and scale of modern cybersecurity challenges has outpaced the capabilities of CVE. Below, get an overview of the major challenges that CVE faces in the current landscape.

You can also find a more in-depth look at these issues and their potential solutions in our latest publication.


Data Quality and Fidelity

Most of the CVEs coming out right now lack important metadata information. This can include specific impact details, impacted libraries, and other essential data. Impact details are especially important for discerning the importance of various vulnerabilities.

Moreover, many CVEs have outdated information. This can be especially detrimental, as evidenced by the Heartbleed bug. Researchers initially gave the CVE a medium severity score. However, even after realizing the vulnerability's real-world danger and impact on internet security, no one updated the score.


Perverse Incentives to Not Create CVEs

While many companies submit the vulnerabilities they find, there are incentives to hide them as well. Addressing vulnerabilities is often at the bottom of a company’s priority list. Instead, they choose to direct resources toward initiatives that directly grow and benefit the company.

Additionally, if they don't publish a vulnerability, an organization can quietly fix it without the public’s knowledge. This protects the company’s image.


Finding Relevant Vulnerability Data

With researchers publishing new CVEs daily, it becomes increasingly difficult to search through this data and identify vulnerabilities that are relevant to you. Numerous vulnerability management software tools try to address this. However, these tools often struggle with slow scanning speeds and false positives.

Additionally, no one notifies the owner of a project about CVEs that pertain to their project. This leads to incorrect information within the CVE. This is a huge problem that adds unnecessary complexity for vulnerability management teams.


Lack of Interoperability

The various vulnerability databases and sources largely don’t work together, increasing the complexity for organizations. The first part of this problem is the wide array of data formats that different vulnerability databases use. Formats such as CVE, GitHub Advisory Database, and Open Source Vulnerabilities each use a different structure. This creates disparities between the databases and the information they hold.

Organizations have to use multiple APIs to keep track of vulnerabilities across databases. This puts a lot of work on security teams and incurs extra operational costs. Despite the prevalence of this problem, the major vulnerability databases have made little progress to address it.


Resolving Disputes

When someone publishes a CVE with incorrect information, the process to dispute it lacks transparency. While a CVE is under dispute, it remains in the database. False information spreads until someone can resolve the dispute.


Complexity of Reporting Vulnerabilities

Many people find the CVE submission process to be confusing and complex, discouraging potential submitters. Here’s an overview of the process:

  • Initial Reporter: The person finding the vulnerability and trying to disclose it to be categorized as a CVE.
  • Choosing a CVE Partner: Next, the reporter has to identify which CVE partner they would be using. That can be hard, since there are hundreds of them, each with a CNA scope.
  • Means of Submission: The means vary depending on the partner. Microsoft and CISA have a form. Most of them provide an email address for submissions but do not indicate what information they require. In many cases, this leads to an extended email chain between the reporter and the CVE partner.
  • CVE Publication: After making the submission, the CNA obtains a CVE ID and then publishes it. This process can take several weeks or even months. Communication with the initial reporter often breaks down, leaving them uncertain as to what has happened to their CVE.
  • Potential Rejection: The CNA can decide that the CVE is out of scope or doesn't meet its criteria. Then, the reporter has to either submit directly to MITRE or drop the process altogether.
  • Lack of Feedback: There is no feedback system for CVEs. Reporters find it hard to understand what makes a good submission.

Overall, the system of vulnerability reporting is inconsistent and complicated. This deters submissions and negatively impacts the quality and effectiveness of the CVE process.


Handling False or Low-Quality Reports

With the recent surge in CVE submissions, there has been a growing problem of people submitting false or low-quality data. Getting a CVE published is a huge and desirable accomplishment for a security professional. This means that some people are willing to submit low-quality or even false CVEs just to add it to their resume.

Another reason for low-quality CVEs is CVE misuse. One example of this is engineers using CVEs to backport patches. Many companies don’t prioritize patches for older, stable kernel versions. To make them a priority, engineers will submit these patches as CVEs.


Increasing Number of CVEs Every Year

Another significant challenge is the sheer volume of CVEs that people discover and report each year. The number of reported CVEs has been rising consistently, from 321 CVEs in 1999 to 28,961 in 2023.

This continuous growth exacerbates several existing issues within the CVE system. As people publish more CVEs, it becomes impossible to ensure each entry is accurate, detailed, and actionable. Additionally, it becomes increasingly difficult to prioritize remediation efforts effectively. The existing CVSS scoring system, while helpful, is not sufficient to deal with this volume.


CVSS

When analyzing the severity of vulnerabilities, it is crucial to consider scoring systems that weigh the vulnerability threat levels. The Common Vulnerability Scoring System (CVSS) is one of the most widely used severity scoring systems. The issues with CVSS include:

  • Inability to Prioritize Risk: A variety of research underlines that CVSS cannot prioritize certain elements. One example is the material consequences to the business if an adversary exploits the vulnerability.
  • Limited Awareness of Context: There are many important factors that CVSS does not consider. One of these critical limitations is the fact that CVSS cannot prioritize a threat differently for different environments. Since CVSS assigns a universal score to a CVE, it appears that the vulnerability is consistent across all systems.
  • Static Scoring System: CVSS statically assigns a severity score to a vulnerability within a short period after its discovery. The problem with this system is that, in most cases, no one updates the base score after the initial assignment. Therefore, the score becomes static and reflects no change in vulnerability impact or threat level over time.


Learn More

The rapidly evolving threat landscape demands innovative solutions to address the many challenges in vulnerability data management. Continue the exploration of CVE and CVSS challenges and alternatives in CSA's Top Concerns with Vulnerability Data publication.

Common Vulnerability and Exposures Innovating from the cloud VulnerabilitiesVulnerability Data

Share this content on your favorite social network today!

Future Cloud
Related Resources
Certificate of Competence in Zero Trust (CCZT)
The industry's first Zero Trust certificate program.
AI Organizational Responsibilities
A blueprint for enterprises to secure AI development and deployment.
AI Safety Initiative
Addressing present and future challenges of AI safety and security.
Latest from CSA
Mark Your Calendar for Cyber Monday!
Map the Transaction Flows for Zero Trust
Advance AI Risk Management
Enhance your cloud security skills with CSA's online training options.
Related Articles:
Cloud Security Alliance Issues Comprehensive Guidelines for Auditing Artificial Intelligence (AI) Systems, Beyond Compliance

Published: 11/14/2024

ConfusedPilot: UT Austin & Symmetry Systems Uncover Novel Attack on RAG-based AI Systems

Published: 11/12/2024

The Hidden Power of Zero Trust Thinking

Published: 10/30/2024

Democracy at Risk: How AI is Used to Manipulate Election Campaigns

Published: 10/28/2024