Common vulnerabilities and exploits fuel cyber attacks and warfare. We hear about them all the time. Notification and identification of these vulnerabilities used to be a hodgepodge. Information was decentralized. Affected vendors maintained their own, siloed assessments and acknowledgements. Virus detection engines used their own set of identified vulnerabilities. No common language or data representation format existed.
MITRE identified this as a problem in early 1999 [1]. They proposed a centralized repository of identified vulnerabilities. Industry, governments, and researchers would work hand in hand to identify and codify vulnerabilities. Fast forward 20 years. The MITRE Common Vulnerabilities and Exposure (CVE) database [2] has standardized vulnerability reporting. It has led to the development of numerous, other cybersecurity resources. An example is the MITRE ATT&CK knowledge base [3]. It lists adversary tactics and techniques based on real-world observations and matched to CVEs.
The time has come to centralize the reporting of data breaches in a similar, centralized and structured manner. Click here to read Justin Del Vecchio’s blog about what exactly a centralized, common enumeration of data breaches enables.
Submitted by: Justin Del Vecchio, PhD, Assistant Professor, Computer Science and Cybersecurity
