Lack of consultation fingered for CVE allocation disaster.
A pilot project launched by vulnerability handler MITRE to address stagnation in the assignment of bug identification numbers has been shelved less than a day after its announcement and before its scheduled launch today.
The pilot was devised in response to complaints by security researchers and MITRE board members about the stalled allocation of CVE numbers.
As detailed by The Register, dozens of security researchers have struggled to gain Common Vulnerabilities and Exposures (CVE) numbers for their discovered vulnerabilities in what they say impacts broader security.
The MITRE website now bears a warning to visitors that it is experiencing “unprecedented demand for vulnerability IDs” and that it will work with the editorial board for a solution.
The pilot was rapidly spun up as a fix to address gaps in the CVE allocation scheme by accelerating the issuance of numbers under a revised naming schema planned to run in parallel with CVE.
It received swift criticism on grounds it was developed without consultation and would confuse the market, break existing tools, and ultimately fail to speed up allocation.
Mitre will hold an editorial meeting to discuss the future of the CVE system.

The Register understands an announcement is due within a week but just what any new scheme will offer is unknown.
MITRE CVE communications and adoption lead Joe Sain said the pilot would be placed on “indefinite hold”.
“A number of concerns with the proposed syntax were raised, and we heard them clearly …we will not move forward with a public announcement of the pilot plan, which we are putting on indefinite hold,” Sain says.
“The pilot described yesterday was designed to run in parallel and to be completely separate from the production CVE stream, but we certainly understand the importance of not perturbing any operating aspect of CVE.
“… we are looking forward to developing an operating model that enables CVE to move forward and that preserves the foundational work that the community has put into the effort.”
MITRE editorial board members were quick to criticise the pilot federated platform. Kent Landfield also of Intel said the pilot “breaks just about everything” adding his earlier suggestion that a federated platform be considered should have been developed with the board.
“…
I and others that have operational responsibility for using and distributing CVEs [thought we] would have some say in what it looked like,” Landfield says.
“It would be in the best interest to hold off in my mind since these (pilots) IDs have no usefulness in product and this will totally confuse the market, researchers, and those with operational needs for a consistent CVE.”
The remarks are echoed by another board member Kurt Seifried, of RedHat, who says he has struggled to push for an overhaul of the CVE system.
A history of fatigue and failure
Brian Martin, a board member of MITRE and CEO of Attrition.org has been pushing for a solution to vulnerability identification problem for more than a decade.
He and others of the Open Security Foundation have developed the Open Sourced Vulnerability Database, founded in 2002, seating it as an accurate and unbiased repository of vulnerability data.
Martin says it could have been the most comprehensive free vulnerability database if 1000 security professionals offered 15 minutes a week to maintain it.
But the size of the vulnerability cataloguing challenge is considerable.
If he were to be handed 100 staff Martin reckons he could catalogue known and public vulnerabilities that are scattered around the web.
Even without the manpower and MITRE money, the database last year catalogued some 6,000 more vulnerabilities than were clocked under CVE, drawing from some 2,000 sources checked weekly and more than 3,000 reviewed once a month.
The concept behind the Foundation was shared with MITRE in 2008 when the US Government agency was urged to look beyond the standard sources and to “aggregate everything”.
Martin sees three core flaws with MITRE, namely its old technology, its lack of motivation to innovate under non-compete contracts, and its policy guidelines.
“They are using the same scripts, same process, with all of the old flaws and bottlenecks,” Martin told Vulture South.
“In 17 years, they haven’t evolved at all … there is no motivation for them to improve if they lack a personal desire to do so.
“They are to the point where they can go a month without replying to us (the editorial board), only to eventually give us a few line generic platitude.”
His remarks are echoed by other editorial board members frustrated with a lack of engagement with MITRE and what they say is a history of failure. ®