Specialists from the CERT Coordination Center (CERT/CC) have launched a special Twitter bot, Vulnonym, which will “invent” random and maximally neutral names for vulnerabilities that have received CVE identifiers.
This idea was born out of endless discussions about “should vulnerabilities have names?”
For many decades, MITER has been assigning CVE identifiers to vulnerabilities in the standard format CVE-[YEAR] – [NUMBER], for example CVE-2019-0708. These CVEs are used by security software to identify bugs, track and monitor problems for statistical purposes, but humans actually use CVEs.
Over the years, cybersecurity specialists have realized that their work on discovering vulnerabilities can get lost in a constant stream of CVEs that are difficult to remember. Therefore, companies and researchers began to name their vulnerabilities in order to step out from the crowd and be remembered. The most famous examples of this are Specter, Meltdown, Dirty Cow, Zerologon, Heartbleed, BlueKeep, SIGRed, BLURTooth, DejaBlue and Stagefright vulnerabilities.
CERT experts believe that over time, this practice has moved to the stage of intimidation and turned into a marketing ploy to attract attention.
The situation sometimes really reaches the point of absurdity. For example, last year a vulnerability found by Cisco was named using three emojis and is also known as Thrangrycat (“Three angry cats“).
In an attempt to mitigate the situation, CERT experts created Vulnonym, which will give bugs neutral codenames, consisting of two words in the adjective-noun format.
Metcalfe explains that people just need easy-to-remember names to describe bugs, because “people are not good at remembering numbers,” such as those used as CVE identifiers. So, a person will easily remember google.com, but not the IP address that this site is hosted on.
Let me remind you that experts of NortonLifeLock developed a free bot detection tool on Twitter.