Discussion
rwmj: https://archive.ph/S8ajd"Enrichment" apparently is their term for adding information to the CVE database.
DeepYogurt: Long overdue to be honest.
smsm42: [delayed]
j16sdiz: TBH, I don't see much enrichment they are giving in last 5 or 6 years.
Retr0id: Maybe we should just assign UUIDs
zbentley: Very true. So many regulated/government security contexts use “critical” or “high” sev ratings as synonymous for “you can’t declare this unexploitable in context or write up a preexisting-mitigations blurb, you must take action and make the scanner stop detecting this”, which leads to really stupid prioritization and silliness.
tptacek: The NVD was an absolutely wretched source of severity data for vulnerabilities and there is no meaningful impact to vendors/submitters supplying their own CVSS scores, other than that it continues the farce of CVSS in a reduced form, which is a missed opportunity.
shevy-java: > Going forward, NIST says its staff will only add data—in a process called enrichment—only for important vulnerabilities.Now - I am not saying I disagree with everything here, mind you; I guess everyone may agree that CVEs may range in severity. But then the question also is ... what is the point of an organisation that is cut down to, say, handle 1% of CVEs - and ignore the rest? Why have such an organisation then to begin with?I don't have enough data to conclude anything, but from a superficial glance it kind of seems like trying to cut down on standards or efficiency.
tsimionescu: NIST does many other things in addition to handling the CVE database.
