Replacing CVE
a year ago
- #Professional Certification
- #Vulnerability Reporting
- #Cybersecurity
- The CVE system is flawed, often generating noise rather than useful vulnerability reports.
- Current vulnerability reporting incentivizes 'script-kiddies' to seek CVEs for résumé padding rather than meaningful security improvements.
- Proposal to replace CVSS scores with a system based on vulnerability attributes for better precision and relevance.
- Introduction of Professional Software Engineer (PSWE) certifications to enforce accountability in vulnerability reporting.
- PSWE certification would require accurate reporting within a 90-day window, with penalties for negligence.
- FOSS projects could opt into liability by hiring PSWEs, potentially solving funding issues while improving security reporting.
- Proposed measures aim to align incentives, ensuring that good security practices benefit both individuals and society.