• bleistift2@feddit.de
    link
    fedilink
    English
    arrow-up
    7
    ·
    1 year ago

    The author has a point that the NVD has no clue about the security implications of a bug. But can we really expect them to? At a conservative guess, I’d say there are millions of pieces of code floating around. Should the NVD be deeply involved in all of them just to provide the most accurate security score? That’s an impossible ask.

    The author also takes issue with the NVD’s stance that they cannot just trust any dude’s email. Is that not a fair take? “Trust me. I’m the maintainer of this project. Do as I say.” Should the NVD now also check each and every email they receive for forgeries? Should they assume that the author of the email would write an assessment in good faith and not downplay a real threat because it looks bad for their project?

    My claims above about this issue can of course be verified by reading the publicly available source code and you can run tests to reproduce my claims.

    (That quote is from another of his blog posts.) Now this is really ludicrous in my opinion. You cannot expect any outsider to read the internals of “over 160,000 lines of feature packed C code (excluding blank lines)” to verify a claim. There is simply not enough time on the NVD’s hands.

    I’m happy I learned something about these magical CVE numbers. My takeaway from this is: The database is good, the scores may not be.

    • Hirom@beehaw.org
      link
      fedilink
      arrow-up
      14
      ·
      edit-2
      1 year ago

      NVD state they task an analyst to review each CVE and assign a score, then do QC to review the analysis before publication.

      No one’s perfect, but since NVD claim to do QC they should fix their mistakes. So now let’s see how they answer to Daniel Stenberg’s objection. The publication and objections are recent, it’s fair to give them a few days to react.

      But if they’re giving up on doing proper analysis or QC, and are are just acting as a vulnerability number registry, then they shouldn’t publish CVSS values.

      NVD analysts use the reference information provided with the CVE and any publicly available information at the time of analysis to associate Reference Tags, Common Vulnerability Scoring System (CVSS) v3.1, CWE, and CPE Applicability statements

      CVSS V3.1 exploitability and impact metrics are assigned based on publicly available information and the guidelines of the specification.

      Analysis results are given a quality assurance check by another more senior analyst prior to being published to the website and data feeds.

      Source: CVEs and the NVD Process

    • chaorace@lemmy.sdf.org
      link
      fedilink
      English
      arrow-up
      10
      ·
      1 year ago

      Should the NVD be deeply involved in all of them just to provide the most accurate security score? That’s an impossible ask.

      This is a false dilemma. If the task is truly impossible, that’s not a valid excuse to try anyway and fail repeatedly, especially if doing so causes negative externalities. Numbered scores with decimal precision are not necessary to the core functionality of a CVE database and there are plenty of alternative solutions which would minimize harm and scale more economically.

    • vojel@feddit.de
      link
      fedilink
      arrow-up
      7
      ·
      1 year ago

      You got a point with NVD but this case shows how one could damage the reputation of a product - this really looks like Bagder didnt care about security, even the 2020 prefix is a bad sign looking from the outside. I am not sure how the NVD define CVE scores but as bagder openly explains this isnt a flaw in security, just a bug he already fixed years ago.