Arbitrary Albatross: Neutral Names for Vulnerabilities
• Presentation
In this presentation the author explores issues around named vulnerabilities and presents a system to generate names separate from implied importance.
Publisher
Software Engineering Institute
Subjects
Abstract
Vulnerability identification is critical defensive security infrastructure. We have CVE, which is improving scope and coverage, but CVE assigns numbers, and people like words. Phrases. Names. From Heartbleed to Efail, there’s a trend in security research to market disclosure events with catchy brand names. Some are annoyed by this trend. Is annoyance justified? Names imply importance. Is the claimed importance justified? It may be that a more human-oriented handle is beneficial. We explore the issues around named vulnerabilities and present a system to generate names separate from implied importance.