Arbitrary Albatross: Neutral Names for Vulnerabilities
October 2018 • Presentation
In this presentation the author explores issues around named vulnerabilities and presents a system to generate names separate from implied importance.
Software Engineering Institute
Vulnerability identification is critical defensive security infrastructure. We have CVE, which is improving scope and coverage, but CVE assigns numbers, and people like words. Phrases. Names. From Heartbleed to Efail, there’s a trend in security research to market disclosure events with catchy brand names. Some are annoyed by this trend. Is annoyance justified? Names imply importance. Is the claimed importance justified? It may be that a more human-oriented handle is beneficial. We explore the issues around named vulnerabilities and present a system to generate names separate from implied importance.