Happy Birthday, CVE!

It was October 1999. Macs had just got embedded Wi-Fi, Napster had launched, and Yahoo had purchased Geocities for $3.6bn. Something else happened that escaped most computer users at the time: CVE posted its first bug. The Common Vulnerabilities and Exposures (CVE) system is 20 years old this week.

Created by the non-profit Mitre Corporation, which oversees several federal government programs, CVE provides common identifiers for cybersecurity bugs, making them easier to track and fix.

Back then, most cybersecurity bug tracking tools used their own databases and their own IDs for bug tracking. That made it difficult for people to collaborate on reporting and fixing them. CVE fixed this using its bug numbering system.

The CVE list couldn’t have come at a better time – 1999 was the year that widespread malware infections really took off. The CIH virus that appeared the year before dropped its first payload in 1999, In March, the Melissa worm devastated Office users’ machines around the world, setting the record for the most powerful malware so far.

The list started small but has grown to contain over 125,000 vulnerabilities. NIST’s National Vulnerabilities Database (NVD) is based on it, and Mitre also mines the vulnerabilities to produce a list of broader cybersecurity weakness categories known as the Common Weakness Enumeration.

The CVE’s success also presents new challenges. For years, the list grew at a modest rate, adding between 4,000 and 8,000 new bugs each year. Then in 2017, things exploded with a 128% spike in new bugs. A year-on-year growth rate of just 12% in 2018 may be more modest, but it also suggests a new normal in which bug reports now top 10,000 each year.

Mitre has strained under the weight of this extra work. Even before the massive 2017 spike, there was a reported slowdown in processing. Congress investigated and found that inconsistent funding was hindering the program. It recommended a change in the funding structure, along with biennial reviews.

Mitre has responded by expanding its operations to produce a more federated management approach.

When someone discovers a bug they can ask a CVE Numbering Authority (CNA) to give it an ID number. It then combines that with a description and any associated references to create a CVE entry which is added to the list. Mitre is the root program CNA, but there are others, and it has expanded this community to cope with growing demand. In 2016 there were 22 CNAs. Today, there are 104, including 5 CERTs, 2 bug bounty programs, and 9 individual security researchers.

As the number and diversity of bugs grows, a central, standard way to name and track them will be more important than ever. It’s difficult enough meeting this challenge even with a central list. Imagine what things would be like if we were all still using our own naming systems and documenting bugs in hundreds of individual silos?