TL;DR – The future of community identifier is going to be the Cloud Security Alliance. See this blog post for more details.
A few months ago the Distributed Weakness Filing project (DWF), announced it was coming back to work with some new ideas around how we work with vulnerability identifiers. The initial blog post defines some of the reasons, we won’t rehash them here.
It should surprise nobody that the DWF project did not grow to an enormous size in a few short months. Vulnerability identification is a complex and hard problem. We were looking to try out some new ideas and see which were effective and which were not effective. It was to start to build the structure to deal with a future community. Most importantly it was to help figure out what we don’t know we don’t know.
One group that has become interested in what we were doing was the CloudSecurityAlliance (CSA). The CSA is focused on, well, security and the cloud, as well as other new and emerging technologies and problems. Traditional vulnerability identifiers have been heavily focused on software as it existed in the past rather than current software and services. The CSA has an interest in helping to define the next generation of vulnerability classification. There are a huge number of potential vulnerabilities and weaknesses that are going untracked, which means they are largely unseen. If we expect the future to be more secure than the past, having a community driven vulnerability classification and freely available databases will be critical.
To make a long story short, the DWF is dissolving and is directing people and organizations interested in participating in this towards the CSA community where a new working group and other efforts are being started. The group is tentatively called the “Universal Vulnerability Identifier (UVI) working group”. This is a working group with open membership and an initial goal of helping define the future of vulnerability identification. The target audience is anyone looking to understand, use, and define vulnerability identifiers. Closed source, open source, services, security researchers, IoT developers, individuals, companies, projects; we want to work with everyone. For more information please see https://universalvulnerabilityidentifier.org/.
The DWF was founded on the idea of bringing community, openness, and transparency to vulnerability identifiers. These are also principals that the CSA values and has consistently exhibited for over a decade. There will be a few changes to the DWF and DWF data happening in the short term to support these long term goals:
- The UVI IDs will all start with the prefix “UVI”. All DWF IDs will have the prefix upgraded to UVI
- The iwantacve.org domain is being transferred to the MITRE Corporation. We do hope that the MITRE Corporation continues to run a service that makes acquiring a CVE Identifier quick and painless
- The DWF project is dissolved effective immediately
We are extremely excited for what the future holds. The CSA is a very forward thinking organization that understands and appreciates the past work of the DWF. We all expect this working group will have a great impact on the future of vulnerability identification and management.