NIST gives up enriching most CVEs

Posted by mooreds 10 hours ago

NIST gives up enriching most CVEs(risky.biz)

161 points | 37 commentspage 2

pojzon 5 hours ago|

Im close to Security MVP for EU parliment, listening on weekend bbq how stupid and pointless vast majority of CVEs are and how stupid and pointless majority of reports are - thank god someone wants to put an end to this.

Majority of researchers dont care how important the bug is, everyone wants something to put on CV, they get paid extra by companies to finding bugs in SAP or SalesForce that will never ever ever be used for anything.

Pointless moot just to generate noice. Like 90% of whole infosec sector.

At least thats what I understood from discussions with someone who has many nations security at stake at work.

section_me 3 hours ago|

[dead]

lo_zamoyski 5 hours ago||

I can't parse this grammatically-tortured title.

pimlottc 8 hours ago||

What is the data that NIST is adding for enriched entries?

shevy-java 8 hours ago||

> Going forward, NIST says its staff will only add data—in a process called enrichment—only for important vulnerabilities.

Now - I am not saying I disagree with everything here, mind you; I guess everyone may agree that CVEs may range in severity. But then the question also is ... what is the point of an organisation that is cut down to, say, handle 1% of CVEs - and ignore the rest? Why have such an organisation then to begin with?

I don't have enough data to conclude anything, but from a superficial glance it kind of seems like trying to cut down on standards or efficiency.

tsimionescu 8 hours ago||

NIST does many other things in addition to handling the CVE database.

tptacek 8 hours ago||

Like producing the world's most premium peanut butter!

https://shop.nist.gov/ccrz__ProductDetails?sku=2387

(The only problem with it is that it's backdoored the NSA.)

chuckadams 5 hours ago|||

https://shop.nist.gov/ccrz__ProductDetails?sku=2782&cclcl=en...

Who doesn't love a jar of Industrial Sludge?

prophesi 6 hours ago|||

Assuming this is in reference to the great Veritasium video[0] going over what these reference materials are used for and why they're so expensive.

[0] https://www.youtube.com/watch?v=esQyYGezS7c

lesuorac 4 hours ago||

You mean to tell me that the peanut butter at my store has junk besides peanut butter in it?

I'm gunna call RFK right now and tell him to fix this!

dragonwriter 8 hours ago||

> but from a superficial glance it kind of seems like trying to cut down on standards or efficiency.

That's kind of the norm in the current US administration, so it shouldn't be surprising.

Retr0id 9 hours ago||

Maybe we should just assign UUIDs

woodruffw 8 hours ago|

Separate from everything else, this would have the virtuous effect of reducing clout-chasing via CVE IDs. It's not quite as cool (for some definition of "cool") to have 095503C9-B080-4C43-AAB6-B704DEB2FAF7 on your resume as it is to have CVE-20XX-YYYYY.

jeremie_strand 7 hours ago|

[dead]