The National Vulnerability Database (NVD) is a US government-funded resource that does exactly what the name implies-acts as a database of vulnerabilities in software. It operates as a superset of the Common Vulnerabilities and Exposures (CVE) system, operated by the non-profit Mitre Corporation, with additional government funding. For years, it has been good enough—while any organization or process has room to be made more efficient, curating a database of software vulnerabilities reported through crowdsourcing is a challenging undertaking.
Risk Based Security, the private operator of competing database VulnDB, aired their grievances with the public CVE/NVD system in their 2018 Vulnerability Trends report, released Wednesday, with charged conclusions including "there is fertile grounds for attorneys and regulators to argue negligence if CVE/NVD is the only source of vulnerability intelligence being used by your organization," and "organizations are getting late and at times unreliable vulnerability information from these two sources, along with significant gaps in coverage." This criticism is neither imaginative, nor unexpected from a privately-owned competitor attempting to justify their product.
In fairness to Risk Based Security, there is a known time delay in CVSS scoring, though they overstate the severity of the problem, as an (empirical) research report finds that "there is no reason to suspect that information for severe vulnerabilities would tend to arrive later (or earlier) than information for mundane vulnerabilities."
(Score: 2) by ilsa on Friday March 01 2019, @03:53PM
And to an extent, they weren't wrong. Look at the breathtaking level of crapware that came out when Visual Basic was released. I have yet to see a single instance of Visual Basic code that isn't absolute garbage.
The lower you set the bar for new programmers, the worse the resulting code is going to be. It's as simple as that.
Throw something like Javascript into the mix, or any other language that was never designed for complex programs, and you amplify the problem that much more.
The same technologies that help good programmers work more efficiently, also tend to enable unskilled people to write code. There is a balance to be had, and what I see says that the pendulum has swung way too far to the 'easy' side.