Mystical Vulnerabilities: Exploring the Oddities in Cybersecurity

Abstract

In the Information Security world, where many researchers crave to enhance their resume, the aid represented by the concepts of CVE and CVSS is paradoxally and slowly disrupting the vulnerability categorization and management process. Subject to disputed claims by the vendors and inflated severity ratings, the CVE assignment process has become a battleground for recognition, resulting in bogus submissions and unrealistic scores. That’s why, for this paper, we have ironically coined the term “Mystical Vulnerabilities”: security flaws that are not supposed to be so, but they get filed anyway, exploiting the lack of targeted inspection by MITRE or the NVD. This flawed system compels organizations to allocate resources based on CVE scores, and almost highlight the need for a “scoring system for the scoring system”. A shift towards a more filter-oriented culture and more transparent CVE assignment practices is imperative to navigate the complexities of the arising cyber threats. This paper proposes mitigations to this problem, from a cultural change, to additional scoring systems out there for complementing and filtering CVEs, finishing with interesting clean sources and databases.

Massimo Morello

Massimo is a passionate Cyber Security Analyst, currently working in the Deutsche Boerse Group (Eurex Clearing) as an Associate Information Security Specialist. Previously collaborating with Kemetmueller Information Security on vulnerabilities research, their trends, and how to efficiently face the storm. In addition, he was formerly employed at the European Central Bank as an IT Security Trainee, where he took care of Vulnerability Management as well. His approach in such a dynamic realm is complemented by a keen interest in Security Governance, IT Risk Management, and IT Compliance (especially with DORA and ISO 27001) in order to try to see the problems from a broader perspective. His paper “Regulatory Compliance Verification: A Privacy Preserving Approach” was presented last year at the CSNet 2023 (IEEE ComSoc) conference in Montreal. Two master’s degrees in Cyber Security (ouch!) with minor in Digital Innovation & Entrepreneurship, and a lot of thirst for knowledge, desire to share, and make together the Internet a safer place!