CERT/CC Aims to Tackle FUD with New CVE-Naming Bot
Security experts at the CERT Coordination Center (CERT/CC) have begun a new initiative designed to tackle the rise in sensationalist naming of vulnerabilities.
Its “vulnonym” project will publish to Twitter neutral names associated with CVEs as they are issued.
CERT researcher, Leigh Metcalf, argued that although humans find it easier to relate to and remember names rather than numbers, threat researchers and their marketing teams often go too far with names like “Spectre” and “Heartbleed.
“Not every named vulnerability is a severe vulnerability despite what some researchers want you to think. Sensational names are often the tool of the discoverers to create more visibility for their work,” she added.
“This is an area of concern for the CERT/CC as we attempt to reduce any fear, uncertainty, and doubt for vendors, researchers, and the general public.”
As a result, CERT/CC will create what it hopes to be the de facto name for each CVE that is published.
“Our goal is to create neutral names that provides a means for people to remember vulnerabilities without implying how scary (or not scary) the particular vulnerability in question is. Our neutral names are generated from the CVE IDs to provide a nice mapping between name and number,” said Metcalf.
“The CERT/CC decided that if we can come up with a solution to this problem, we can help with discussions about vulnerabilities as well as mitigate the fear that can be spread by a vulnerability with a scary name. We plan to name the vulnerabilities with a phrase of adjective noun, for example, Arbitrary Albatross.”
Vulnonym is effectively a bot generating names from various lists of animals, plants, objects in space and other categories, and using the “Cantor Depairing Function” to map them to the relevant CVE IDs.
It remains to be seen whether these names actually stick. Already the bot has come up with some curious-sounding monikers including “Bottomless Whistler,” “Foamy Waka,” “Guarded Puffer” and “Pelleted Quetzal.”