DeepSec 2023 Talk: !CVE: A New Platform for Unacknowledged Cybersecurity !Vulnerabilities – Hector Marco & Samuel Arevalo
In the ever-evolving cybersecurity landscape, the identification and acknowledgment of vulnerabilities through the Common Vulnerabilities and Exposures (CVE) system plays a crucial role. However, vendor discretion in determining whether a security issue warrants a CVE assignment often results in overlooked vulnerabilities that pose significant risks. This presentation introduces the !CVE initiative, a groundbreaking platform that addresses this critical gap by identifying, tracking, and sharing unacknowledged cybersecurity vulnerabilities.
Our presentation begins with an overview of the CVE system and the challenges security researchers face in dealing with unacknowledged vulnerabilities. We discuss real-world examples of security issues ignored by vendors and explore the potential consequences of these hidden threats. We then delve into the !CVE platform, detailing its mission, features, and collaborative approach to empower the security community.
Through case studies, we show the value of the !CVE initiative in strengthening the cybersecurity ecosystem, highlighting the significance of addressing vulnerabilities not recognized by vendors. We also showcase the reporting process, expert panel, and public availability of !CVE reports, fostering a transparent and inclusive environment for vulnerability tracking and sharing.
Join us in exploring the world of unacknowledged cybersecurity vulnerabilities and learn how the !CVE initiative is bridging the gap between vendor discretion and community-driven security efforts. By raising awareness and fostering collaboration, we can create a more secure and resilient digital landscape for all.
We asked Hector and Samuel a few more questions about their talk.
Please tell us the top 5 facts about your talk.
- The talk introduces the !CVE initiative (https://notcve.org), a new platform focused on identifying, tracking, and sharing cybersecurity vulnerabilities that vendors are not acknowledging.
- The !CVE initiative aims to bridge the gap between vendor discretion and community-driven security efforts, encouraging collaboration and transparency.
- Our talk reveals the problematic nature of CVE assignment, highlighting issues like conflict of interest and unclear threat models.
- The presentation will include real-world examples and case studies that demonstrate the significance of these overlooked security issues.
- The talk will also feature a demo of the !CVE reporting process, offering a hands-on look at how the initiative aims to strengthen the cybersecurity ecosystem.
How did you come up with it? Was there something like an initial spark that set your mind on creating this talk?
The initial spark came from repeatedly encountering vulnerabilities that were significant but went unacknowledged by vendors. This made us realize that there’s a difference of opinion between what the security community perceives as a risk and what vendors are willing to acknowledge. The !CVE initiative was conceived to fill this gap and serve as a much-needed platform for the community to share and discuss these hidden risks.
Why do you think this is an important topic?
This topic is crucial because unacknowledged vulnerabilities, even when vendors are aware of them, continue to pose a significant risk. These overlooked vulnerabilities can be ripe targets for exploitation, especially since they often go unpatched and unmitigated because of the lack of vendor acknowledgment. The !CVE initiative empowers the cybersecurity community and organizations to defend against these often-ignored risks, thereby creating a more secure and resilient digital landscape.
Is there something you want everybody to know – some good advice for our readers maybe?
Good cybersecurity is not just about defending against known vulnerabilities; it’s also about proactively identifying and mitigating the risks that are not yet acknowledged. In a rapidly developing digital landscape, it’s vital to stay one step ahead. Be skeptical, question the status quo, and don’t rely solely on vendors to inform you of the risks associated with their products. The !CVE, is a free platform designed to track unacknowledged vulnerabilities, offering a solution for staying ahead of potential threats that are not covered by the traditional CVE system.
A prediction for the future – what do you think will be the next innovations or future downfalls when it comes to your field of expertise / the topic of your talk in particular?
As we move forward, we could see a shift in how security assessments and penetration testing are conducted. Cybersecurity professionals will increasingly adopt a more comprehensive approach that considers not just CVE-acknowledged vulnerabilities but also those listed on platforms like !CVE. This dual focus will allow for a more complete coverage of security issues, increasing the resilience and robustness of systems against a wider range of threats.
Hector is a cybersecurity expert with over 15 years of experience. He holds a PhD in cybersecurity where he found multiple vulnerabilities that have been awarded by Google and Packet Storm Security. He is the founder of Cyber Intelligence S.L., a Spanish experienced company specialized in software and hardware security. The company has developed their own tools and methods which allow to perform unique pentestings and vulnerability assessments. Cyber Intelligence has leaded several national and international security contracts and has successfully evaluated multiple products discovering multiple 1- and 0-day vulnerabilities.
Samuel Arevalo is a cybersecurity researcher for Cyber Intelligence S.L. He has a Bachelor’s Degree in Computer Science and a Master’s Degree in Cybersecurity and Cyberintelligence from the Polytechnic University of Valencia. His research interests include binary analysis, vulnerability research and machine learning applied to cybersecurity.