Security experts at the CERT Coordination Center (CERT/CC) have begun a new initiative designed to tackle the rise in sensationalist naming of vulnerabilities.

Its “vulnonym” project will publish to Twitter neutral names associated with CVEs as they are issued.

CERT researcher, Leigh Metcalf, argued that although humans find it easier to relate to and remember names rather than numbers, threat researchers and their marketing teams often go too far with names like “Spectre” and “Heartbleed.

“Not every named vulnerability is a severe vulnerability despite what some researchers want you to think. Sensational names are often the tool of the discoverers to create more visibility for their work,” she added.

“This is an area of concern for the CERT/CC as we attempt to reduce any fear, uncertainty, and doubt for vendors, researchers, and the general public.”

As a result, CERT/CC will create what it hopes to be the de facto name for each CVE that is published.

“Our goal is to create neutral names that provides a means for people to remember vulnerabilities without implying how scary (or not scary) the particular vulnerability in question is. Our neutral names are generated from the CVE IDs to provide a nice mapping between name and number,” said Metcalf.

“The CERT/CC decided that if we can come up with a solution to this problem, we can help with discussions about vulnerabilities as well as mitigate the fear that can be spread by a vulnerability with a scary name. We plan to name the vulnerabilities with a phrase of adjective noun, for example, Arbitrary Albatross.”

Vulnonym is effectively a bot generating names from various lists of animals, plants, objects in space and other categories, and using the “Cantor Depairing Function” to map them to the relevant CVE IDs.

It remains to be seen whether these names actually stick. Already the bot has come up with some curious-sounding monikers including “Bottomless Whistler,” “Foamy Waka,” “Guarded Puffer” and “Pelleted Quetzal.”

Source: https://www.infosecurity-magazine.com/news/certcc-aims-tackle-fud-new-cve/

CERT Coordination Center, Computer security, Common Vulnerabilities and Exposures, Vulnerability

World news – US – CERT/CC Aims to Tackle FUD with New CVE Naming Bot

En s’appuyant sur ses expertises dans les domaines du digital, des technologies et des process , CSS Engineering vous accompagne dans vos chantiers de transformation les plus ambitieux et vous aide à faire émerger de nouvelles idées, de nouvelles offres, de nouveaux modes de collaboration, de nouvelles manières de produire et de vendre.

CSS Engineering s’implique dans les projets de chaque client comme si c’était les siens. Nous croyons qu’une société de conseil devrait être plus que d’un conseiller. Nous nous mettons à la place de nos clients, pour aligner nos incitations à leurs objectifs, et collaborer pour débloquer le plein potentiel de leur entreprise. Cela établit des relations profondes et agréables.

Nos services:

  1. Création des sites web professionnels
  2. Hébergement web haute performance et illimité
  3. Vente et installation des caméras de vidéo surveillance
  4. Vente et installation des système de sécurité et d’alarme
  5. E-Marketing

Toutes nos réalisations ici https://www.css-engineering.com/en/works/

LEAVE A REPLY

Please enter your comment!
Please enter your name here