What Should CVE Be When It Grows Up? — Panel

Hi everybody, my name is Bob Lord and welcome to this panel on uh the CVE program. Thank you for bsides for hosting and for the just in time adjustments to the uh to the stage here. Fantastic. Um a little bit about me and what we can do is just a very very quick lightning round of intros. Uh you can uh check us out online. All of our bios are in the uh in the uh online system. So, I'm Bob Lord. I work at IST, which is the Institute for Security and Technology. It is a uh critical action think tank that brings together uh policy people to help create uh uh uh solutions to some of the problems that

we see on a regular basis and CBE is one of the things that we've been studying. Before that, I worked at CISA for three years kickstarting the secure by design movement. Before that, I was a defender trying to protect uh networks at various places uh large and small. And then before that uh I built software for enterprises and for uh consumers. Maybe we'll start uh on my right over with Chris. Hi, good afternoon everyone. Chris Peter. I'm the acting executive assistant director for cyber security at SIZA. What that means is I lead the cyber security division. Uh and we are sponsors of the CVE program. Very excited to be here. >> Hi everybody. My name is Madison Oliver.

I am a CVE board member and I manage the advisory database at GitHub and I'm happy to be here today talking about CVE. >> Hi, I'm Jerry Gamblin. I'm founder of Rogo Labs, uh, a lab that is dedicated to providing open source vulnerability intelligence and enriching CVE data and print stickers. Hey everybody, I'm Todd Beardsley. I currently work at RunZero. It's dope. Uh, I used to work at SIZA, also dope. Um, and I am also on the CVE board. Been a CVE mucker about her for I don't know 10 years, something like that. >> Marvelous. Uh, so I'm super excited for this panel to hear their words of wisdom. So let me just give you a few

minutes of of framing for this. So I think that the CVE program is truly essential infrastructure that helps the defenders defend their systems today. uh but it also is something that can help us understand what systemic problems do we see over and over again in the world of software and so for that reason uh from the secure by design angle I've been just super interested in understanding how can we mine the data to make safer software so you know I think you're here because you've heard a number of things over the last uh year or two so you've probably heard things uh about funding you've probably heard things about uh the slowdown in NVD output. You've probably

heard things about the Cyber uh Resilience Act, uh CRA in in the EU. You've probably heard about the EU VD. You've probably heard about the CVE Foundation. You probably heard about a whole bunch of other things. And you probably have some questions on your mind. Uh, spoiler alert, I don't think we're going to solve all of these questions today. But I do think that we'll be able to explore the space and give you some things to chew on for the rest of the conference and as you go back to your regular lives where I'm sure you're going to be thinking and talking about CVES quite a lot. So, I've been going out and talking to a lot of

different people trying to understand what their concerns are and they boil down into some consistent themes. So, funding, of course, I'd mentioned that's one of those consistent themes. Uh, I've heard people talk about governance. uh from many different angles. I've heard people talk about transparency also from many different angles, accountability, international participation, which was I think one of the things that surprised me how often that comes up in conversation, technology stack, you name it. So, those are some of the major ones that that we've been uh that I've been hearing from people as as I talk to them. The one thing I think is clear from all of the changes that we're seeing is that more change is coming.

And the question is, what form will that change take? And so hopefully we'll be able to answer some of these questions. Um, one of the things I think about is that a lot of problems can't be solved efficiently where you find them. That these are upstream problems and they need to be solved upstream. And thinking about the funding issue, uh, you know, Chris is here from SISA and we're very grateful for his his participation. Um, obviously people have said uh to me many times that funding is is a key element that people were surprised by the events of April of this year. Um, and uh, so I think maybe I'll just turn it over to

Chris to talk a little bit about what you can share about the past, but I think what people have mostly asked me about is is the future. >> Thanks, Bob. Um, and you stole most of my talking points about the feedback that we've received as well. Um, and I just want to be upfront that we are really focused on taking that feedback and engaging with this community. And that's why I'm excited to be here today to engage with you all on improvements to the CBE program. Um, to talk about funding just for a minute. Um, there was never a funding issue in April. There was a contract management issue that we had to get the contract in place. Um,

those of you who worked in government know that those things can be tricky. Um, we made it past that. Uh, SIZA will continue to fund the program. We have ample funding to fund the program and it is a huge priority for SIZA to fund this program. There's two reasons really I want to talk about why that funding is important. The first is the CVE program is a public good. You know the privatization would lead to potential conflicts of interest bifurcation and general confusion um that could lead to national security issues. uh so we are very aware of that and want to maintain improvements to the program to make sure it continues to be a public good. The

second thing is SIZA is a huge consumer of the program itself. Uh so while we do run the program, we actually use it for both strategic and tactical operational needs every single day. Um so I can tell you from experience uh we've had many situations where uh the CVE work underpins all of our operational work. Uh we had um an instance a little while back where we were notified always on the weekend on a Saturday um from a security researcher about exploitation about a specific product. We went and talked to the vendor of that product and we said, "Hey, we think there's this product is being exploited, but we don't know how it's being exploited." Turns

out there were four separate CVEes that were involved. Um, and without being able to have that CVE records and the distinction and uniqueness of those CVE records, it was impossible for us to have meaningful dialogue with the security researchers, with the product owner and with the stakeholders who needed to quickly patch and remediate that those vulnerabilities. Um so for each of these vulnerabilities that is published in the CVE catalog uh SIZA enriches those vulnerabilities with specific indications around exploitation um that could lead to us publishing it in the known exploited vulnerabilities catalog that again then triggers additional workflows for our operational teams where we will uh publish an alert to our different stakeholders alerting them to patch that immediately for our

federal stakeholders that means they have to patch it in a very tight timeline. Um and then it triggers a bunch of other actions for us. We use it to scan uh for that vulnerability across the ecosystem and then notify people if it is already being exploited that they should be patching immediately. So without the CVE program, we would be unw unable to really perform our critical cyber mission effectively. Um and so it is really foundational for us uh to continue to fund this program going forward. Thank you. Thank you for sharing that. Um, anybody else uh comments? You're all consumers of CVS. Uh, I think in a minute we'll ask Madison, she wears many hats and so we'll ask her to try to do

some quick changes here and there. Um, so, uh, Madison and Todd who can't see each other because of the of this setup, but that's okay. They cannot collude. They cannot share answers. Um, you are both on the CVE board. My question to you is what's that like? [laughter] >> Do you want to start or should I >> go for it? >> So the CVE board has been uh a really interesting journey for me. So for some context, I joined the CVE board about a year and a half ago. Um I've been involved in the CVE program for seven or eight years now. Prior to my time at GitHub, I worked at the CERT coordination center at the software

engineering institute coordinating vulnerabilities on behalf of the US government. So I helped manage our CVE numbering authority at CERT. When I moved to GitHub, I started in our incident response team and I managed that CNA and then I moved over to our advisory database where I am now managing our open source CNA. Uh so I got involved in the CVE board because I am incredibly I'm very missionoriented and very missiondriven and it was very important to me to feel like I was being a part of the solution and not the problem. uh as somebody who is terminally online I see lots of uh lots of very very valid complaints against lots of systems but CV especially um and

it is personally important to me that I I try to engage in that community try to make it better right I don't want to just be complaining but from the outside but I want to actually try to affect change and especially from the the open-source constituency uh that I'm now serving I think that there is a lot of value to having their voices better heard in the CVE program as well. Uh so those are a lot of the reasons that got me involved in the CVE board. I will say my experience outside and inside the board generally. I'd love to see things move faster. I'd love to see things be more transparent. I'm a huge advocate of

transparency. Surprise surprise, I ended up at an open source organization, but I love things being open and transparent because it's what allows us to talk about these things. And I am I'm a strong advocate internally and externally to the CV program for the encouraging them to be more transparent. And so I try to use some of the work that I do on the board to increase that publicly. >> Todd, what's it like to be on the CV board? >> So, one of Thank you, Madison. Uh, one of the complaints I hear a lot about CVE, um, is that the CVE program is captured by vendors. It's captured by Microsoft, where Madison secretly works. Uh, it's captured by Cisco. It's

captured by Apple. Right? And if you're a researcher, um, good luck getting a CVE if the vendor doesn't want you to have one. And that sucks. [laughter] U, so I joined the CVE board about 10 years ago, I think, uh, back when I worked at Rapid 7 as a researcher. Uh, and I said, well, if the CVE board is actually captured by all these vendors, let's put a non non vendor on there. Um, and my role specifically was as a research CNA uh at Rapid 7 and I run another research CNA today uh down in Austin called AHA um take onme.org And uh as a researcher um on on this board, I can tell you that like yeah, I

mean the the vendors do have pull. Um and I'm going to steal some of the air the vendor. [laughter] Uh the vendors have pull, but like it is it is not in the rules. Um and if CVE people love anything, it's lists of rules. Uh, and often when I'm in board meetings and we start veering into that realm of like, oh no, if we do this, you know, these big vendors will like leave the CVE program and then what? And then, you know, usually my answer is like, cool, let's see them try. Uh, and we'll we'll find out together. Um, and so that's so my role on the board tends t like and I'm not saying like I'm a big

bombthrower and I'm a big anarchist or anything like that. Um, I used to be a Fed and uh, but my my role on the board is like I'm with Madison. Like things do need to be faster, more transparent, more accountable. Um, I would love to see more of that on the CVE board. And to answer your specific question, Bob, what's it like being on the CVE board? Um, I notice Chris says, uh, Sciza runs CVE and that's sort of true uh, in that SIZA pays for it. Um but the CVE board nominally has some governance role on it and so we tend to do things like fix the rules and create new working groups and

do stuff like that. So that's that tends to be my my day-to-day on on the C. >> So you know thinking about governance and again going back to the international component uh there are a few international constituents on the board but I think out of 23 there's maybe three or something like I may be miscounting something like that. You're right. Um, and then, uh, maybe talk a little bit about, uh, how we're thinking about things along the lines of, uh, the the terms for board members and anything along governance in general along those lines. >> Well, uh, lucky for us, terms are lifetime. There's no appeal. Um, you can get kicked off the board for being a jerk.

Um, we have a code of conduct. How to be a jerk is outlined in the code of conduct. Um, and so we rarely kick people off a board. Um, but not never. Uh um and as far as like international input, like we're always looking for it. So the people on the CDU board are there by uh dent of their interest in vulnerability management, vulnerability communications, things like that. Um notionally, they're not there because they work at GitHub or they work at SIZA. Like that's not the reason to be on the board. The it's it's a very kind of personal reason to be on the board. Um, and then to get on the board, generally speaking, you have to be

nominated by an existing board member. There's some talking and it takes forever like everything on the board and then you're on the board or not, right? Um, and then people leave, they retire, you know, they leave the board for various reasons. Um, I think altogether there's like there's 23 people on the board now and I think there's like 20ish or so people who used to be on the board. So there is some turnover there. uh just by dent of like how people operate. Um but but no there's no like there's no ISC2 election for example u that kind of style of of governance. >> And should there be I don't know anything else you want to add?

>> Yeah there to add to to Todd's point some things that I would really like uh to see as part of this is CVE serves a very global community. I believe the board running it should also represent that very global community. Now I say that I I do believe there is a finite number of folks that should maybe be on a board. Uh I would love for maybe every country organization to be represented but also there's an obvious ceiling to this as well um to ensure that the program remains efficient. So I do feel like the board could has an opportunity to be more global to better represent the community that is both consuming and

also producing CVE data. Um, oh, and I immediately lost where I was gonna go with the second point. It'll come back to me though, don't worry. >> Yeah. So, let's uh you know, Chris, I want to hear a little bit from you. You'd mentioned a little bit about I don't know if you use the word fragmentation, but you know, a little bit about that, but then also uh how how does SISA work with the international partners in in this whole space? >> Yeah. So, um agree on the comments about the board. We think there's some room for improvement on the governance, the board, the makeup of the board, international representation. Um, since you touched on that specifically, we've

been in touch with our um, Five Eyes partners as well as the EU government and other international governments that we speak with every day and work through operational challenges with every day. Um, and we think it's better to bring some of those partners into um, the governance of this program as well. They have a vested interest in it. If we don't, they might come up with their own scheme to do otherwise. Um, so we really want to make sure that we are uh making sure that CVE is again that foundation that is feeding other programs. So if the EU needs to do other things to meet their regulations, they can do so, but we can also build in everything upstream

that can help everyone else as well. So I think we're we're working really closely with a lot of our international partners um to take their feedback and to involve them more in uh the governance of this program going forward. And presumably they like you rely on the CV program for day-to-day operations and so they they have some skin in the game as well I would imagine. >> Yeah. Yeah. And and it's not just our operational things too. It's all of our strategic pieces as well. So um SIZA does a lot of work on strategic items that that the CVE and C.WE especially kind of underpin some of this. Um so Bob I don't think I have to tell you this

but um you know we've increased the completion uh records of the C.WE we significantly over the last few years which has been an exciting achievement for this um program and what that allows us to do is inform our secure by design efforts and what are the classes of vulnerabilities that we see being exploited the most um we also um CV underpins our software bill of materials our sbomb work it underpins uh this work our our common security advisory framework how we're trying to enable automation into this vulnerability ecosystem um and so we've been working with our other government partners on all these other initiatives as well. Um, and the only way we're going to be able

to, you know, combat the cyber challenges that we are doing today is by increasing that automation, increasing the quality of the data that's involved in the program. >> Okay, we're going to get to quality in just a minute. Can I can I just uh do a little a little bit of brainstorming here? So, we we talked about this a little bit in bits and pieces. Um when I take a look at the uh the innovations that we've seen in other sectors, planes trains automobiles medical stuff, where you've seen dramatic improvements in safety for customers and for the public, there are a number of things that tend to happen. One of those is that there's a public sector trust

anchor. Um, but I was wondering if anybody had any particular thoughts on learning how safety got safer in these other sectors and how we might be able to help the CVE program informed by those? Anybody? Well Jerry >> I'll maybe say at a very high level, what I like about those programs is that it it is a regular and and forced review of what we're producing and what we're doing. Is this meeting our goals and what we're trying to accomplish? So, in in a safety sense, it it tends to maybe I'll say be a little bit easier, very binary, you know, is this safe or not? Is this safe enough or not? Maybe that's not quite as binary as I made it sound.

Um, but what I really like about those programs is that it it forces the review of it. You don't just continue progressing forward and and assuming that everything is okay. You take a very intentional step back and are reviewing what you're doing and ensuring that the governance you have, right? The specifications you have, the guidance you have, the things that say this is what we should be doing match with the why are we doing this and the goals that you want. Uh, so I think that at a very very high level is at least something that our program could pull out from that as well. we could probably stand to to stop and do some of those reviews too

and ensure that what we're doing is meeting our goals >> to kind of put my toes as close to the political line as possible. Uh I don't think the head of the EPA should be the CEO of Exxon. Um I also don't think that the CNA program should be board should be completely made up of CNA members. >> All right. Now it's now you're getting your money's worth. >> [laughter] >> Okay. Um, Jerry, uh, I do want to talk about quality. Uh, you and I sit on the quality working group, and I confess I think you've done a heck of a lot more work to actually move the needle a little bit. You want to talk a little

bit about your vision for quality and anything you may be doing this week around quality of CVEes that you want to pre-announce? >> For sure. uh two years ago the NVD ran into a funding issue and at that time many consumers found out that the NVD didn't produce CVE. Um at the same time many CNAs found out that the NVD doesn't produce CVEEs. Um and I say that because of the data quality that is in your annual actual CVE records today. For the longest time, a CNA could could basically produce a shell of a CVE record and push it into the system. And before the average consumer or average blue team member got a hold of the CVE,

it had been enriched by the NVD where it included CPE, uh, CVSS score, C.WE. Uh, and with the NVD slowdown, they're just not able to keep up with that. So that has fallen back to the source of truth to the CNAs to provide that data and and they are not doing that. Um a patch link in a CVE record is only on about 5% of all CVE records that are published today. Um CPE, which people will tell me is terrible or not terrible, but it's the standard we have. >> Terrible. It is but it's it's the terrible standard we have today is in less than 2% of all CVE records published by CNAs. Um after this I'm

giving a talk where I'm launching a project of kind of a scorec card so you can see what CNA uh release which data in what format. Um, and I will tell you that the CNAs will not be overly happy about that. And every CNA you talk to will tell you that they give you the data that you need. But as consumers, and that's here who I'm here representing, it's not it's not obtainable for to think that every consumer should be able to digest 460 different data formats. And that was the promise of the CVE program and a promise that has been broken in my opinion is that the CVE program was supposed to be a standardized format for

people to be able to read and to use and and we've just gotten away from that with with the slowdown of the NVD and with some other issues with the schema in general. >> So uh where can we learn more about your new program? >> I will be giving a talk here at uh two o'clock. It's called uh the issues with CVE transparency and then I will be at Defcon later this week giving a talk on a similar subject. I'm I'm happy to talk with anybody or chat with anybody about this because this is something that I'm very passionate about. I don't come from a vendor side hat on. So I'm I'm with you guys and I want to talk to you guys

about how we use this data and about how people need this data to protect their businesses and their communities. is is part of what you're doing trying to understand how much we can automate these systems like how complete the records are, how accurate they are. >> Yeah. And and that's the thing, everything should be automated. Like a big deal is the patch link, right? Everybody will tell you that when they have a CVE, they they provide you with patch, but you have to go to their advisory or to a certain page. Um the CVE board has a patch tag that you put in the references and nobody uses it. And it's as simple as saying, "Hey, when

you put a CVE, just put the link to the to the patch and hit it with the patch tag and then everybody will know exactly where to go and get this data." Um, but nobody does it. Less than 5% of CVES are published with that. And so that it becomes up to every individual to go and figure out which of these five advisory links has the patch in it. Which one should I go and get? Well, and one of the one of the issues uh with with patches, right, is that CVES don't describe patches, they describe vulnerabilities. Patches optional. Um now, but what but I think what you found is like patches optional means patches

never uh never mentioned in the CV. I'm with you like it should we should be making it easier. Um, and I think part of it is not that like when a when a vendor writes a CVE and they provide a patch, their goal is not to hide the patch. Uh, I don't think that's the goal anyway. I don't know why they would do that, right? Um and so part of the I think fundamentally one of the issues is is that the CVE board this is one of many areas that I would like to improve with the CVE program um is the CVE program does not produce sufficient tooling uh to describe vulnerabilities in the CVE format. We've

got two basic we basically have two ways to do it. Um, we have something called Bonogram. Um, it's a little GitHub project. Uh, and then we have CVE lib which I think comes from Red Hat. GitHub might have a third thing now that I think of it. Do we? Maybe not. Um, >> yeah. >> But we have we have of course two different sets of tooling. Both written on a volunteer basis. Both are open source. Um, neither of which is endorsed by the CV board, which is insane. Uh and so like a lot of the a lot of these problems go away when we start pushing better tooling up upstream. Um so CNAs will have will it becomes easier to do

the right thing like right like it's that whole thing like you know bad UX is bad security um good UX tends to be better security and so we need better UX um for the for the CVE program. Well, and to Todd and Jerry's point too, like a perfect example of this could be let's say in a CVE record in the affected product field, you list that there is a patched version, then maybe there can be a technical requirement that there be a patch reference link before you can submit the CVE record, for example. >> So, so I I don't know if your research has gone this far yet, but is there anything that we can learn from the the

CNAs that have done a really good job? Is there anything that you think would be worthy of sharing about what good looks like? >> Yeah, I think that the CNAs that do a good job do it consistently and it's all about process. All right. All of these CNAs or the majority of the big CNAs that produce over 200 records a year have a PERT team and they have a process that's just I'm going to do these 15 steps to release the CVE and the good ones have the steps to to make sure the CVE record is complete. The ones that need to work I I really believe we're just pushing the CVE as the last step

and letting the NVD do the leg work of filling in that data. Yeah. and they just need a little bit of help to understand that hey the NVD isn't doing this job now. We need to push that responsibility back on to onto the PERTs that are publishing the CBE. It's not overly ownorous. It's just a few extra fields in a JSON record >> and then it makes everybody able to use the data automatically. >> Hey Bob, I just want to jump in and give a little insight on kind of I think how we got to this point and kind of how we're kind of flipping the focus a little bit. Um so from 2016 to 2024 the

program was really focused on growth. It was really the growth era of this program. Um we went from 24 CNAs to more than 460 CNAs in that time. Um so that's a huge increase in the number of CNAs. Each of these CNAs requires training to really understand how to do their job, how to do their job effectively. Um and so we have a lot of new CNAs that we are working with all the time. um and trying to get them to do better in their work uh to produce CVE records. The other big note is the records count went from 6,400 to more than 40,000. Right? So that is a huge increase in records. Um

and so um in addition the the actual per people that were responsible for publishing those CVEs went from 100% being done from the CNA of last resort last resort to only 16% now. So we're relying on the CNAs to do a lot more work here. Um and we want to make sure now that we are shifting from that growth era to the quality era really um and we think that there's a lot of work we can do around data schema data quality um tooling APIs um that will really I think help the ecosystem tremendously um and again trying to meet that need for automation and speed um I think we can also all agree that

completion accuracy and timeliness cat is really the focus here for that we want to focus on as well um and So just want to give a little bit of that background on why we're trying to make that shift from growing the program to really focusing on quality now. >> Yeah. So he's mentioning this cat thing. So uh so when we talk about uh quality so I think my definition starts with three things. So it's it's completeness and accuracy and timeliness. And so I think you're doing a lot to figure out is it is it just complete? uh we haven't gotten to the accuracy part yet or a timeliness part but I think just starting with completeness I think

that's going to be a pretty big thing plus the internet loves cats so I just have to promote that at at every every angle um so okay so I'm listening to this and you know if I take a again look outside the world of software and I take a look at safety and other sectors planes trains and automobiles medical whatever there are often requirements to fill out these defect reports that include things like the root cause and remediation and even event chronology like hey car company when were you put on notice that this particular defect was potentially a systemic problem rather than an individual uh machine and uh so I'm I'm hearing this and I'm I'm

saying to myself well wait a minute the bar for everybody else is up here our bar is down here and now I've got a panelist who's releasing some numbers this week saying we're not even doing the subminimum very Well, what should I take away from this? >> One, two, three. Okay. Um, the difference between a safety regime, right, that has things like a national transportation and safety board or an FAA, uh, are things called regulators. and regulators get paid with tax dollars to make sure we all don't die uh by you know dumb stuff right we have no sense of regulation in tech and if you want to talk about how this CVE program has been

captured by vendors let me introduce you to the rest of government um you know there there is as far as I know no real appetite among technology providers to acquest Yes. To a regulatory regime that says you must do CVEes in this way. Every CVE you read is written by a volunteer. That's why if you're interested. >> Okay. So, >> so is that right? >> I I I think I know where you're going to go. So, I'm winding you up. Go. >> So, I I have a counterpoint to that. Um the the EU thinks that there should be regulations and they have announced a plan that in November if you have a vulnerability in your product you have

24 hours to to release a notification. I think the CBE is going to become the standard notification body. So I've talked to a lot of people and we go back to the GDPR thing and they're like, "Oh, that's just going to be in Europe. Nobody is going to ever do that here." And now every time you go to a website you have to click I accept cookies. Um that is going to quickly become a thing in the US. So while we've had a had a title wave of CVEEs published in the last two years I really think um what's worse than a title wave? A tsunami >> a tsunami of CVEEs will start being published in November and December. And

I'm guessing that that by the end of next year, we're looking at 75,000 CVEes, not 40,000. >> That's not where I thought you were going to go. >> Oh, [laughter] but that's okay. Um, where I thought you were going to go is uh this idea that when I buy a at least, let's just talk about commercial products. When I buy a commercial product, although it may not be part of the contract, it is sort of an implied social contract that if this product is now known to be harmful in some way under some certain circumstances, the company owes me notification, and we do see this in every other industry, but even if it's not through regulation,

why would they not be diligent in producing these records just because it's the right thing to do? Because when you negotiate your renewal, you never ask about vulnerabilities. Um the next time you're sitting across from Microsoft or Cisco or Red Hat and you're saying, "Oh, we need to renew our corporate our our corporate lease for this year. We want to redo our E5." You that's where you have the most power in your relationship with those companies. And that's when your security team should say, "Hey, you know what? We really like your product, but the CBES you guys put out, they do not help us keep our network safe. We would like you to improve these. And I've I've been in

tech long enough that salespeople normally have the most sway in a in an organization. So those sales people are going to go back. It's >> renewal time. >> Yeah. when it's renewal time, they're going to go back and say, "Hey, we're not going to close this x00,000 or million dollar deal." Because the PERT isn't putting in patch links in the in the CVE records they're publishing. Uh by next week, the the PERT will be putting CVE links in that patch, right? like and and we as consumers of CVEEs do not use our our power to kind of close the loop from purchase to repair enough to to use that power that we should have to talk to to vendors about the

publication of their records. >> That's really easy to say like, "Oh yeah, these CVs are garbage. Ho ho." Like move on with your lives. Like take Jerry's advice. Everyone in this room uh probably buys some amount of software and probably buys it on a subscription basis. take the time during the I mean just like snap snap snap to Jerry on that one because like that that is great. This is the way to do it again because CDE are written by volunteers. Um you can volunteer to be a regulator uh through your dollars. >> To add on to that too, I would also recommend I love this idea. Please definitely do this as soon as you get

home. Uh in addition to that, you could also engage with your policy teams. Typically, they're engaging with folks like Chris and Chris's team and others elsewhere across the industry. And you maybe as the security or technical folks in the audience may have a deeper or more grounded understanding of why this is so so important. Share that with your policy folks. Give them the information that they need, the data that they need to go and also fight this fight on the policy front as well. Because I think there are a lot of different ways that we as a community and an industry can start tackling this issue, this very very broad issue. I'm being very general

about, but I think that's another way too that that we as CVE consumers forget that we have power there as well. >> So, and and I love Todd, but he's saying that volunteers write most CVE. Um, I'm sure the people that write the majority of CVEEs are getting a nice check from a corporation. So, >> if anyone's >> My team is paid to write CVE, >> write CVE. >> I I I think that all the PERT team's jobs is to write CVS. I think that's that's where we we disagree. But >> but I think that that to think that CVE is a voluntary program is probably downgrading the importance of CVEEs today. >> To me, it's like it's maybe half and

half if I were to like put some numbers to it. It I go maybe right the extra mile, right? I'm here today. I'm on the CVE board. I engage in all of the working groups. I may be volunteer or extra there, but because I manage a database filled with information about vulnerabilities, I manage a very very large prominent open- source uh CNA, I would have to care about this anyway because this is also naturally part of my job. This CV program is fundamental to my role. So maybe I'd say like a good portion of it like I am paid to care about this. I have a team of analysts that are actively curating CVEEs. I also take the

extra mile though because again very like mission focused and miss mission oriented. I want to give back and so for me and a lot of the extra stuff I do like being here today to me is my volunteering. Um though not to be confused my work is also paying for me to be here. So it's >> straddling both lines. [laughter] >> So can I ask you to put on a few of those other hats? So uh people have referenced your uh your CVE work as a as a company as as for open source. Can you walk us through the the high level uh overview of what that program looks like, who it benefits, and how you think

about things like transparency and and you know, things that you would like to see infused in the larger CVE program. >> So, I manage GitHub's advisory database. It is a free database filled with advisories about vulnerabilities and open source projects. All of the data is free. It is the vulnerability data that powers Dependabot, npm audit, Nougat audit, a slew of supply chain security tools. I'm sure if you're using another vulnerability database, they're ingesting our data as well because it's freely available and everybody does, which is exactly why we do that. Uh, so as part of our advisory database and as part of the GitHub platform, any code owner can create a security advisory on their repository. So that's a way for

them as the maintainer to say, "Hey, my project is vulnerable to to this thing. I want to share this with my community. They create their public disclosure right there in their repo where their community is already gathering their project or the package from. And as part of that flow, maintainers or any code owner on GitHub can request a CVE from my team without becoming a CNA. So this is a free service that we provide for any open source maintainer on GitHub. They can request CVE from my team. My team are the the SMEES in the CVE world and the vulnerability world. I am a huge proponent and advocate that you should not have to be a security expert to do

security well. Every maintainer on GitHub should not have to know the intricacies of the CVE program, right, to be able to engage in this. Well, they can engage with somebody like me and my team that knows this and knows them and be the intermediary. So, we assign CVE on behalf of open source maintainers. We evaluate the information. If we believe it should have multiple CVEes, should have less per CVE rules, right? We explain that to maintain the maintainer. We have a conversation with them. We discussed this with them. We'll say yes for this reason, no for this reason and typically go depending on the size of the project as well, right? If I can take the opportunity to volunteer and do

some education for them as well, like I'll absolutely take that opportunity too. Uh so my team has been doing this. We are actually about to celebrate our sixth anniversary as a CNA I think next week, maybe the week after. So sometime this month. Uh we are one of the most prolific CNAs in the program the last few years. We've grown tremendously. Last year we published over 2,000 CVEEs. I think we've published over 7,000 so far in our lifetime. And so for context, Jerry had said earlier that a a high producing CNA in or at least in his opinion, I guess I'll say is about 200 CVES a year. My team produced 10 times that and I do not have a large team

doing this either. But the way that we are able to do this is by being very focused and very very dedicated and very deliberate in what we are doing with our very narrow focus. Uh, and so because of some of the technical controls that we have in place that I know Todd will fight me on this that have cause issues for the research community as well, the request has to come from a code owner or a maintainer, which means that we have difficulty supporting security researchers when there is no maintainer involved or projects that have been abandoned. But again, we're a team of human beings and I'm doing what I can. >> Excellent. Excellent. Okay, with the

last remaining minute, any closing thoughts? Uh, Chris, over to you. >> Yeah, sure. Um just want to thank Madison too for you know giving the open source perspective. We I think we still have a lot of work to do on the open source uh ecosystem to involve them better in this program but uh with the addition of GitHub and I think four other I think there's five open source CNAs >> and Red Hat as a root >> Red Hat as a root. Um we we've made some significant progress over the last few years still have some work to do but again like I think getting the open source representation on the board is really important as well. Um my my take

here is you know engage with SIZA please on what you want to see improved with this program because it is a public good and we are committed to maintaining this and improving this program to be that public good that underpins you know the cyber security and the national security of our nation. Um I will be here all week. Um I'll be at Black Hat the next two days. I'll be here the rest of the day and at Defcon this weekend. Come find me. Um you can also send us messages at vulnerability.dhs.gov with any ideas you have for improvements to the program. Final thoughts. If there's anything that I would like you to maybe take away from this talk,

it's it is what you have control over as either a CVE consumer or a CVE producer. Create better data yourself. Demand better data from those that are providing it. Um, use the power that you have to try to affect this change from where you're at, no matter what seat you sit in, no matter what hat you're wearing. >> Ditto. [laughter] >> Okay. >> Super easy to complain, right? Like, love it. I love complaining. It's my favorite. Um, but it's only slightly harder to like reach out to to these programs if you care about these programs. So, reach out to Chris, reach out to me, the CVE board. >> Tell us when we're doing it raw.

>> I I know that we're at time, but um Bob Lord is starting a consumer's working group for the CVE program. I don't know if he's going to plug, so I'll plug it for him. um please talk to him about joining if you care about CVEes from the consumer side. >> Yeah. So uh thank you for that. That was a great tea up. Uh so the basic idea is that we spend a lot of time talking about the CNAs and we've done that here. We don't spend as much time talking about the people who use the CVE. So you talked about the automation and all the people downstream both individual defenders trying to figure out what the

heck to do with a particular vulnerability, but those who use tools, those who make the tools, open source, commercial. So we're going to talk a lot more about that. There's information on cve.org. The one thing I would just leave you with uh to close is I think there's a lot that we can learn from the history of safety and other sectors and I would encourage everybody to think about uh reading up on those and figuring out not how to copy them blindly, but how to inform our research into vulnerabilities in a way that is appropriate for what we're doing. And and again, change is coming. And so just to echo what I think I've heard

everybody here saying, getting involved is going to be key because we don't currently know exactly what that form is going to take. Thank you so much for coming out. Uh really appreciate all of you. Thank you. Besides,