Navigation
Search
|
[$] The bogus CVE problem
Wednesday September 13, 2023. 10:46 PM , from LWN.net
The 'Common Vulnerabilities and
Exposures' (CVE) system was launched late in the previous century (September 1999) to track vulnerabilities in software. Over the years since, it has had a somewhat checkered reputation, along with some some attempts to replace it, but CVE numbers are still the only effective way to track vulnerabilities. While that can certainly be useful, the CVE-assignment (and severity scoring) process is not without its problems. The prominence of CVE numbers, and the consequent increase in 'reputation' for a reporter, have combined to create a system that can be—and is—actively gamed. Meanwhile, the organizations that oversee the system are ultimately not doing a particularly stellar job.
https://lwn.net/Articles/944209/
|
25 sources
Current Date
Apr, Sun 28 - 07:49 CEST
|