The National Vulnerability Database (NVD) is a US government-funded resource that does exactly what the name implies-acts as a database of vulnerabilities in software. It operates as a superset of the Common Vulnerabilities and Exposures (CVE) system, operated by the non-profit Mitre Corporation, with additional government funding. For years, it has been good enough—while any organization or process has room to be made more efficient, curating a database of software vulnerabilities reported through crowdsourcing is a challenging undertaking.
Risk Based Security, the private operator of competing database VulnDB, aired their grievances with the public CVE/NVD system in their 2018 Vulnerability Trends report, released Wednesday, with charged conclusions including "there is fertile grounds for attorneys and regulators to argue negligence if CVE/NVD is the only source of vulnerability intelligence being used by your organization," and "organizations are getting late and at times unreliable vulnerability information from these two sources, along with significant gaps in coverage." This criticism is neither imaginative, nor unexpected from a privately-owned competitor attempting to justify their product.
In fairness to Risk Based Security, there is a known time delay in CVSS scoring, though they overstate the severity of the problem, as an (empirical) research report finds that "there is no reason to suspect that information for severe vulnerabilities would tend to arrive later (or earlier) than information for mundane vulnerabilities."
(Score: 2) by DannyB on Thursday February 28 2019, @07:32PM
Developer quality has utterly collapsed. That is why we see famous interview questions from Google and others. Most companies have made mistakes of hiring mediocre programmers or posers. HR people don't know the difference. Developers time is expensive, scarce and not well spent on interviews. Plus we now have a high tech "gold rush". Oh, I can get rich fast by becoming a developer! And books of the genre: Learn X in only 24 hours! (And yes, these books are deliberately intended to deceive people to think they can learn brain surgery or rocket science in less than ten years) How about: Learn C in only ten years! Become a SQL expert in only ten years!
Nailed it in one Mr. Garibaldi.
Absolutely agree. Yet JavaScript is a reality. And modern JS is far better than the state it was in ten or especially fifteen years ago. And standardization seems to finally, at long long last, taking hold. Sort of like teraforming.
Yes. But also another thing. Efforts to systematically eliminate these problems, such as I suggest elsewhere in this SN topic, are met with stiff resistance. It's not just troves of documentation to mitigate the problems. Things at fundamental levels like languages and compilers can make entire classes of bugs just vanish -- yet people will put up a fight over it.
The lower I set my standards the more accomplishments I have.