-2

Why is MITRE not changing some CVE entries that are clearly wrong? I have deeply analysed and highly tested some specific vulnerabilities. The CVE reports of them are in some cases inconsistent, incorrect or even registered to one CPE while I created reproducible proof that that specific CVE applies to multiple versions (CPE's) of the same product, and so it should be correctly listed.

I think the quality of the database is quite worthless if they don't correct it. I tried to contact them several times, but they don't seem to fix it. What's best to do now?

schroeder
  • 123,438
  • 55
  • 284
  • 319
Bob Ortiz
  • 6,234
  • 8
  • 43
  • 90
  • 2
    Perhaps if your question contained an example or two of problematic CVE's, someone could help you better. I think that many CVEs are originated outside of MITRE and that they republish them without verification. Perhaps they aren't staffed to deal with individual problems? – Neil Smithline Jun 26 '16 at 23:25
  • CVEs do originate outside of Mitre, but they do some of their own leg work. For example, they will create their own vectors and scores for the CVEs, they do not rely on vendor or project provided numbers. – Swashbuckler Jun 27 '16 at 00:09

1 Answers1

2

I have gotten CVE entries corrected previously, but not consistently. I think it depends on how much they have to do to verify in what you tell them. If you can show internal inconsistencies (e.g. the description says these versions are affected, but the list of affected versions is different) I've had them correct that. For more involved things they say they'll get to it when they get a chance and then they don't ever seem to.

It's not worthless, but it could definitely be improved significantly. My bet is they don't have enough people to properly maintain it so they prioritize keeping up with new entries and then fixing the easy things they can.

What next? If you live in the US consider writing your Congressman and Senators. I've also thought about writing to the chairs and the ranking members of the Senate Intelligence Committee and the House Homeland Security Subcommittee on Cybersecurity about it. This should be a fairly easy fix with proper funding. And it's proverbial low-hanging fruit.

Swashbuckler
  • 2,115
  • 8
  • 9