Gaps in Vulnerability Identification - BoF @GSVS

# Gaps in Vulnerability Identification - BoF @GSVS ## Moderator N/A ## Attendees same folks ## Discussion Areas * Across products, standards, and bodies * Service versus package coverage ## Summary _a tl;dr of the discussion_ ## Notes gaps in vuln ident researcher needs to know that a CVE has to be assigned. The disclosure that is created normally has assigned id, author, etc. Some people don't know the process and don't know how to generate NVIDs. Sounds like we need more educational material for secuirty researchers in the space to let them know about responsible disclosure reporting and where to file for CVE etc. Reporter knows how to disclose the vuln but neither side is taking responsibility of creating a CVE ID. More people doing post-vulnerability CVE ID generation Maybe automation like a bot to suggest creating a VULN ID Getting things fixed also seems to be an issue (lifecycle). integrate reporting as part of the regular workflow] The fact that something is maintained is or is not a vulnerability. A cwe covers the vuln is not maintained but cve board doesn't want to issue CVE id number from Knowing security support is important to have in mind, but everything will have a CVE? Because everything will eventually be out of date. Similar discussion around the malware. Do CVE (or vuln identifier systems) need to account for the state of the software at the time of reporting? and should that then be updated? i.e. vuln data captures the source, API checks to see if the source states it's archived, or that the project is "aged/deprecated" (does not appear to be active). Have a new space for maintenance status, if you want to consume you can, if not ignore it. Rustsec database has advisories for deprecated products. Question of what is deprecated? End of Life vs End or support are 2 very different things. why can't the group decide (sounds like a WG decision?) so is archived! Part of intel work's on the openssf is to state what the project's life cycle is through the best practices working group to get that information out there. Indicator of project not maintained. for example, DNS. This is the last time we saw a response to this project. CVSS system is not well suited for libraries, CVSS guidance assumees a worst case scenario, but can be in a toy vs a pace maker. (fact check later) Need a scoring system that is designed for libraries. Scoring can also change depending on the industry vertical (healthcare, novelty, finance, etc.) perhaps enhancing on top of CVSS or the other scoring systems (there's another Josh and Kurt know of) (fact check later :nod:) CVSS is maintained by FIRST, you don't have to be a part of FIRST to participate. Clarifcation, cvss is NOT about worst case scenario, but most reasonable impact.