Spectre. Meltdown. Dirty Cow. Heartbleed.
All of these are vulnerabilities that were named by humans, sometimes for maximum impact factor or marketing. Consequently, not every named vulnerability is a severe vulnerability despite what some researchers want you to think. Sensational names are often the tool of the discoverers to create more visibility for their work. This is an area of concern for the CERT/CC as we attempt to reduce any fear, uncertainty, and doubt for vendors, researchers, and the general public.
Software vulnerabilities are currently catalogued by number, primarily the Common Vulnerabilities and Exposures (CVE) ID, which makes it very easy for computer analysis and storage. However, humans aren't well conditioned to remember numbers. Instead, humans prefer names because we find them easier to remember. We don't remember IP addresses, but do easily remember domain names to browse to our favorite websites. We also name things like hurricanes, snow storms, operating system updates, particular geographic locations like cities or states, and so on. They all are named because it's easier to remember Mojave instead of Mac OS 10.14, or Pittsburgh instead of 40.4406° N, 79.9959° W.
Names of vulnerabilities, in particular, are matriculating into important spheres of influence. Case and point, on July 11, 2018, congressional testimony weighed the impacts of the "Meltdown" and "Spectre" vulnerabilities. The CVE-IDs, CVE-2017-5753, CVE-2017-5715 and CVE-2017-5754, were never mentioned, only the sensational names were.
We aren't arguing that vulnerabilities shouldn't have names, in fact, we are encouraging this pr ..
Support the originator by clicking the read the rest link below.
