Last April, CISA issued an 11-month extension for its CVE program with MITRE, rescuing the program from an almost certain death.
-
Last April, CISA issued an 11-month extension for its CVE program with MITRE, rescuing the program from an almost certain death.
Since then, CISA and MITRE have negotiated a new deal that puts the CVE program on firmer footing.
My exclusive for CSO, with thanks to Peter Allor and others within the cybersecurity vulnerability community.
CVE program funding secured, easing fears of repeat crisis
https://www.csoonline.com/article/4142600/cve-program-funding-secured-easing-fears-of-repeat-crisis.html -
Last April, CISA issued an 11-month extension for its CVE program with MITRE, rescuing the program from an almost certain death.
Since then, CISA and MITRE have negotiated a new deal that puts the CVE program on firmer footing.
My exclusive for CSO, with thanks to Peter Allor and others within the cybersecurity vulnerability community.
CVE program funding secured, easing fears of repeat crisis
https://www.csoonline.com/article/4142600/cve-program-funding-secured-easing-fears-of-repeat-crisis.html@metacurity now can we fix it so bullshit doesn't get CVEs?
-
@metacurity now can we fix it so bullshit doesn't get CVEs?
@metacurity pretty sure around here is where the program went to shit https://app.opencve.io/cve/CVE-2021-38759
-
Last April, CISA issued an 11-month extension for its CVE program with MITRE, rescuing the program from an almost certain death.
Since then, CISA and MITRE have negotiated a new deal that puts the CVE program on firmer footing.
My exclusive for CSO, with thanks to Peter Allor and others within the cybersecurity vulnerability community.
CVE program funding secured, easing fears of repeat crisis
https://www.csoonline.com/article/4142600/cve-program-funding-secured-easing-fears-of-repeat-crisis.html@metacurity @joshbressers "Discussions have reportedly begun about potentially amending the EU’s Cyber Resilience Act to reference an identifier managed by ENISA rather than CVE."
(From Paris here) I just checked the full CRA text, there is no mention of "CVE". Not a single one.
-
@metacurity @joshbressers "Discussions have reportedly begun about potentially amending the EU’s Cyber Resilience Act to reference an identifier managed by ENISA rather than CVE."
(From Paris here) I just checked the full CRA text, there is no mention of "CVE". Not a single one.
@jbm @joshbressers I can't get any more specific without revealing the source who requested anonymity, but there was a discussion at a European conference he attended the week before last about adding, as an "add-on," an ANISA identifier rather than a CVE identifier to the CRA. He didn't say anything about there already being a mention of CVE in the CRA.
-
@jbm @joshbressers I can't get any more specific without revealing the source who requested anonymity, but there was a discussion at a European conference he attended the week before last about adding, as an "add-on," an ANISA identifier rather than a CVE identifier to the CRA. He didn't say anything about there already being a mention of CVE in the CRA.
There are already many vulnerability identifiers used across different databases and ecosystems. CVE is an important one, but it is only part of a broader and already distributed landscape of vulnerability information.
If you want to explore the diversity of existing sources including CSAF advisories, GitHub security advisories, and disclosures coming from various regions (including China and Russia).
You can see examples here:
Within the context of NIS2, the EUVD is expected to play the role of a reference point at the European level.
In practice, this makes the handling of cross-references between different identifiers particularly important. While reference catalogues can exist, the assurance and publication of vulnerability information will likely remain (and increase) distributed across many contributors.
-
R relay@relay.infosec.exchange shared this topic
