Replacing CVE
a year ago
- #Vulnerability Management
- #Professional Certification
- #Cybersecurity
- MITRE's CVE system is criticized for inefficiency and vulnerability misclassification.
- Current CVE system allows 'script-kiddies' to exploit it for resume padding, making the database noisy and less useful.
- Curl and other major projects have had to become CNAs to manage their own vulnerability reports.
- Two proposed systems: one where submitters control the database, another where vendors control vulnerability classification.
- Proposal to replace CVSS scores with attribute-based vulnerability descriptions for better accuracy and utility.
- Introduction of Professional Software Engineer (PSWE) certification to enforce vulnerability reporting and accountability.
- PSWE certification would require accurate reporting within a 90-day window, with penalties for non-compliance.
- FOSS projects would not require PSWEs unless they accept liability, potentially solving funding issues.
- Proposal includes measures to prevent gatekeeping in PSWE certification, ensuring accessibility and fairness.
- Changing incentives around vulnerability reporting could solve multiple industry problems simultaneously.