Login

Recent searches

No recent searches

Search options

Not available on social.wildeboer.net.
social.wildeboer.net is one of the many independent Mastodon servers you can use to participate in the fediverse.
Mastodon instance for people with Wildeboer as their last name

Administered by:

Server stats:

2
active users

social.wildeboer.net: AboutProfiles directoryPrivacy policy

Mastodon: AboutGet the appKeyboard shortcutsView source codev4.3.8

Jan Wildeboer 😷:krulorange:

IMHO: The sudden halt of funding for CVE at MITRE [1] creates an opportunity to "free" the critical task of managing vulnerabilities from its current US focus and move towards a more decentralised and transparent solution.

But for now it also means that I will subscribe to full-disclosure [2] again. Which has always been the messy, chaotic and loud cousin of Bugtraq [3] ;)

[1] usaspending.gov/award/CONT_AWD
[2] seclists.org/fulldisclosure/
[3] seclists.org/bugtraq/

www.usaspending.govUSAspending.gov
Apr 16, 2025, 06:49 AM·Public
46boosts·37favorites
Public *
Jan Wildeboer 😷:krulorange:

As a first step the process of becoming a CNA (CVE Numbering Authority) [1] should be distributed, not centralised. That's the biggest SPOF (Single Point of Failure) IMHO. Right now a lot of exclusive power with regard to the CVE system is concentrated at MITRE. This must be changed. For example by sharing/transfering ownership/responsibility with enisa.europa.eu and other organisations.

[1] cve.org/PartnerInformation/Par

www.enisa.europa.euHome | ENISAENISA is the EU agency dedicated to enhancing cybersecurity in Europe. They offer guidance, tools, and resources to safeguard citizens and businesses from cyber threats.
Public
Jan Wildeboer 😷:krulorange:

Some people discuss a full privatisation of the CVE program by having commercial companies take over the funding of the CVE program and maybe even moving it away from MITRE. IMHO that would be counterproductive. CVEs, no mater how disputable the current implementation is, MUST be independent of corporate interests.

Public
Ludovic :Firefox: :FreeBSD:

@jwildeboer Ideas on how to achieve that and get the funding?

Public
Jochen

@jwildeboer
Becoming a CNA is not as centralised as you describe.
In Japan your Root CNA for onboarding is JP-CERT, in Spain it is INCIBE.
Enisa could become a Root but why not have a NGO instead?
The System with the Root-CNAs is okay I think, however there should be more of them. And we already have two Program Roots: MITRE and CISA.
More important for me is the redundancy and distribution of the entries and reservations.

Public
Jörn Franke

@jwildeboer enisa.europa.eu/topics/state-o

"
On 16 January 2023, the Directive (EU) 2022/2555 (known as NIS2) entered into force replacing Directive (EU) 2016/1148. E
[..]
NIS2 assigns to ENISA a number of significant new tasks such as:

The development and maintenance of a European vulnerability registry
The secretariat of the European Cyber Crises Liaison Organisation Network (CyCLONe)
The publication of an annual report on the state of cybersecurity in the EU
[..]
"

www.enisa.europa.euNIS Directive 2 | ENISAENISA is the EU agency dedicated to enhancing cybersecurity in Europe. They offer guidance, tools, and resources to safeguard citizens and businesses from cyber threats.
Public
noplasticshower

@jwildeboer I miss bugtraq. Make exploiting software fun again!

ExploreLive feeds
About