On Mar 28, 2024, at 12:58, Rich Persaud <[email protected]> wrote: > >> On Mar 28, 2024, at 12:37, Alexander Kanavin <[email protected]> wrote: >> >> On Thu, 28 Mar 2024 at 17:28, Marta Rybczynska <[email protected]> wrote: >>> I think you weren't there at the weekly meeting when we discussed >>> that: it started around Feb 14th and I see that in my data >>> (I have a daily report). >>> >>> To make the story short: NVD is close to 0 activity since mid-February >>> and there is no communication for now on why, what are the reasons >>> etc. >>> The security community is concerned and there are multiple ideas: >>> amending/replacing the database, there is an open letter in the works >>> etc. >>> From our practical view there's no automated solutions we can >>> implement right now. I have some ideas and it would be good to discuss >>> them, >>> the next weekly meeting might be a good occasion. >> >> Probably alternatives to NVD will get increased attention too, which >> is not a bad thing. This exposes NVD as the single point of failure, >> and I can't see how they're going to restore trust. > > Funding has been an issue for years, e.g. many thousands of bug reports never > processed into CVEs, > https://www.platformsecuritysummit.com/2019/speaker/sherman/
May 24th update: https://therecord.media/nist-database-backlog-growing-vulncheck > More than 90% of submissions to the government's National Vulnerabilities > Database have not been analyzed or enriched since the agency announced > cutbacks in February, new research shows. > > Researchers from VulnCheck analyzed the NVD’s activity since it announced > cutbacks on February 12 and found that of the 12,720 new vulnerabilities > added since then, 11,885 “have not been analyzed or enriched with critical > data that help security professionals determine what software has been > affected by a vulnerability.” > > VulnCheck has a list of vulnerabilities it classifies as exploited and said > nearly half of those bugs have not been analyzed by NVD since the slowdown. > Another 82% of bugs that have a public proof-of-concept exploit have also not > been examined, according to the company... > > “We recently enriched 1,300 CVEs and continue to diligently work to ensure > all submitted CVEs are enriched,” CISA said. “We ask all CVE Numbering > Authorities (CNAs) to provide complete CVEs when making initial submission to > CVE.org.”
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#199948): https://lists.openembedded.org/g/openembedded-core/message/199948 Mute This Topic: https://lists.openembedded.org/mt/105119670/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
