Our CVE Story: Ancient History of the CVE Program — Did the Microsoft Security Response Center have Precognition?
Guest author Lisa Olson of Microsoft is a CVE Board Member and Microsoft is a CNA.
Let me tell you something that seems rather strange: Microsoft has been a CVE Numbering Authority (CNA) since before written records on such things. How is that possible? Actually, early participants weren’t labeled CNAs until February 1, 2005.
Well, here is a link to our first CVE: CVE-1999–0007. This was documented in our second security bulletin issued June 26, 1998. I wasn’t around the Microsoft Security Response Center (MSRC) then, but it must have been an interesting feat to issue a 1999 CVE six months before 1999 began. Needless to say, Microsoft has been an active participant in the CVE Program for a long time, and we’ve issued a lot of CVEs. As you can see by the chart, the numbers keep growing significantly every year. This crazy year of 2020 we are almost over 100 CVEs per month on average. We think this might have something to do with the fact that researchers might have more time on their hands due to the pandemic, but it also has to do with Microsoft’s bounty programs. The recent changes in the CVE Program having to do with automated Pull Requests to instantiate the CVE corpus definitely help with this growth.
I’ve been in the MSRC and working with CVEs for the last seven years and in that time, the most impressive thing about the CVE Program to me is how nimble it is. We all know how technology is always in a rapid state of change. The combination of Moore’s Law and Metcalfe’s Law that seem to be holding true in the 2020s dictate that we are in a dizzying period of evolution. The wide-spread remote working brought on by the COVID-19 pandemic is fueling this even more.
When a company becomes a CNA, they agree to follow a set of rules that outline when a CVE should be assigned to a vulnerability that is found. In 2019, the CVE Board and the CVE Working Groups took on the challenge of updating the CNA Rules. All of the individuals from CNAs that were participating in the Working Groups were encouraged to bring their unique points of view to the process. There were many robust discussions. Here are some significant changes:
- Clarification was made around assigning CVEs for unsupported products.
- Flattened the process for obtaining CVE IDs and publishing CVEs.
- Changed the rule that restricted CVEs to software that is maintained on premises by the customer (i.e., customer-controlled software). This change allowed coverage of certain cloud, service, and related software vulnerabilities.
This last one caused much debate among the interested parties. Some believed that we needed to document every vulnerability that was found in any service. Others thought that we should keep the rule as it has been and never document service-related vulnerabilities because there would be no action for the customer to protect themselves as the action is taken by the service provider. Eventually, a compromise was reached to allow CNAs to decide if assigning the CVE would be beneficial to the program and the wider industry participants: Does a customer of the service need to do something to protect itself against the vulnerability? Is it important for an industry peer (e.g., another cloud provider) to be aware of the vulnerability? Is it important to the research community that this be publicly documented?
For more information, you can see the relevant CVE Numbering Authority (CNA) Rules here.
We do expect, of course, that the landscape will change over the next decade. Hybrid Cloud deployment is already starting to blur the lines between on premises software and in the cloud. The good news is that the CVE Program can continue to evolve the rules based on these changes in technology. The people that are on the Board and those committed to participating in the Working Groups are empowered to suggest changes and convince others why that change is good for the program.
The thing that is exciting to me is that in all of the meetings that I’ve participated in over the last few years, each and every participant seems sincere in their desire to improve the program. Diverse opinions and robust discussions are welcome. We encourage you to come participate and continue making the CVE Program thrive.
-Lisa Olson, Senior Security PM, Microsoft Security Response Center
