CERT launched Twitter bot that comes up with names for vulnerabilities

CERT launched Twitter bot

Specialists from the CERT Coordination Center (CERT/CC) have launched a special Twitter bot, Vulnonym, which will “invent” random and maximally neutral names for vulnerabilities that have received CVE identifiers.

This idea was born out of endless discussions about “should vulnerabilities have names?”

For many decades, MITER has been assigning CVE identifiers to vulnerabilities in the standard format CVE-[YEAR] – [NUMBER], for example CVE-2019-0708. These CVEs are used by security software to identify bugs, track and monitor problems for statistical purposes, but humans actually use CVEs.

Over the years, cybersecurity specialists have realized that their work on discovering vulnerabilities can get lost in a constant stream of CVEs that are difficult to remember. Therefore, companies and researchers began to name their vulnerabilities in order to step out from the crowd and be remembered. The most famous examples of this are Specter, Meltdown, Dirty Cow, Zerologon, Heartbleed, BlueKeep, SIGRed, BLURTooth, DejaBlue and Stagefright vulnerabilities.

CERT experts believe that over time, this practice has moved to the stage of intimidation and turned into a marketing ploy to attract attention.

Because of this, some serious bugs remained almost unnoticed, as they did not receive high-profile titles, while almost non-dangerous errors received a lot of attention from the media just because they had big names, their own sites, logos, and sometimes even theme songs.told in CERT.

The situation sometimes really reaches the point of absurdity. For example, last year a vulnerability found by Cisco was named using three emojis and is also known as Thrangrycat (“Three angry cats“).

In an attempt to mitigate the situation, CERT experts created Vulnonym, which will give bugs neutral codenames, consisting of two words in the adjective-noun format.

Not every vulnerability with a name is a serious threat, although some researchers want you to think so. We are suggesting that vulnerabilities should be named, in fact, we even encourage it! Our goal is to create neutral names that allow people to remember vulnerabilities, but not focus on how dire (or harmless) the particular problem is.writes CERT/CC member Lee Metcalfe

Metcalfe explains that people just need easy-to-remember names to describe bugs, because “people are not good at remembering numbers,” such as those used as CVE identifiers. So, a person will easily remember google.com, but not the IP address that this site is hosted on.

Let me remind you that experts of NortonLifeLock developed a free bot detection tool on Twitter.

By Vladimir Krasnogolovy

Vladimir is a technical specialist who loves giving qualified advices and tips on GridinSoft's products. He's available 24/7 to assist you in any question regarding internet security.

Leave a comment

Your email address will not be published. Required fields are marked *