search menu icon-carat-right cmu-wordmark

Arbitrary Albatross: Neutral Names for Vulnerabilities

October 2018 Presentation
Art Manion

In this presentation the author explores issues around named vulnerabilities and presents a system to generate names separate from implied importance.

Publisher:

Software Engineering Institute

Abstract

Vulnerability identification is critical defensive security infrastructure. We have CVE, which is improving scope and coverage, but CVE assigns numbers, and people like words. Phrases. Names. From Heartbleed to Efail, there’s a trend in security research to market disclosure events with catchy brand names. Some are annoyed by this trend. Is annoyance justified? Names imply importance. Is the claimed importance justified? It may be that a more human-oriented handle is beneficial. We explore the issues around named vulnerabilities and present a system to generate names separate from implied importance.