{"id":3782,"date":"2024-05-29T09:00:00","date_gmt":"2024-05-29T14:00:00","guid":{"rendered":"https:\/\/www.darkreading.com\/vulnerabilities-threats\/why-cves-are-an-incentives-problem"},"modified":"2024-05-29T09:00:00","modified_gmt":"2024-05-29T14:00:00","slug":"why-cves-are-an-incentives-problem","status":"publish","type":"post","link":"https:\/\/ddi.mohflo.net\/index.php\/2024\/05\/29\/why-cves-are-an-incentives-problem\/","title":{"rendered":"Why CVEs Are an Incentives Problem"},"content":{"rendered":"
<\/a><\/div>\n
<\/div>\n

COMMENTARY<\/span><\/span><\/p>\n

Two decades ago, the economist Steven Levitt and New York Times reporter Stephen Dubner published <\/span>Freakonomics,<\/span><\/span> which applied economic principles to various social phenomena. In essence, they argued that to understand how people make decisions, it’s crucial to consider what incentives they’re responding to. Through an assortment of sociological examples, they show how incentives often can lead to unforeseen outcomes, in many cases counterproductive to the original intent.<\/span><\/p>\n

I’ve been thinking about some of these unintended consequences in the context of a growing problem faced by all of us in cybersecurity: how a fast-rising tide of software vulnerabilities tracked as common vulnerabilities and exposures (CVEs) \u2014 are reported and maintained. Last year saw a <\/span>record 28,902 published CVEs<\/a><\/span> \u2014 or almost 80 vulnerabilities published every day \u2014 representing a 15% increase over 2022. Some of these software flaws represent a real cost, with two-thirds of security organizations reporting an average <\/span>backlog of more than 100,000 vulnerabilities<\/a><\/span>, and estimating that due to this overwhelming volume, they’re able to patch fewer than half of them. The increase in published CVEs is just one metric, as not all vulnerabilities receive a CVE, with decisions being left to the software vendor. In some cases, a software vulnerability is fixed and <\/span>no CVE is issued<\/a><\/span>.<\/span><\/p>\n

Looking at those figures, one might think the sheer volume of vulnerabilities points to a serious issue with the state of software security today. Yet, the numbers themselves don’t tell the whole story. The growing number of CVEs stems from two factors: We’ve gotten better at discovering vulnerabilities, and there are insufficient safeguards in place governing the creation and tracking mechanisms for CVEs. The incentive structure, particularly <\/span>who<\/span><\/span> is motivated to identify and assign severity to reported vulnerabilities accurately or inaccurately, must also be considered. So it’s worth asking: In what ways does the incentive structure within the cybersecurity ecosystem influence the reporting and addressing of vulnerabilities?<\/span><\/p>\n

Misaligned Incentives<\/h2>\n

While the system by which CVEs are assigned and scored is widely used and accepted, it’s not without its fair share of problems. Established in 1999 by MITRE, the CVE system serves as a trusted clearinghouse for the security industry, offering a standardized method for identifying and cataloging software vulnerabilities. By providing unique identifiers for security weaknesses found in commercial and open source software, CVEs enable enterprises and software vendors to effectively prioritize and mitigate vulnerabilities, thereby reducing the opportunity for threat actors to exploit these flaws.<\/span><\/p>\n

However, the incentive mechanisms behind the assignment and scoring of CVEs aren’t without significant challenges that can undermine the effectiveness of this system. Some of these challenges include:<\/span><\/p>\n

\n