search menu icon-carat-right cmu-wordmark

Vulnonym: Stop the Naming Madness!

Spectre. Meltdown. Dirty Cow. Heartbleed.

All of these are vulnerabilities that were named by humans, sometimes for maximum impact factor or marketing. Consequently, not every named vulnerability is a severe vulnerability despite what some researchers want you to think. Sensational names are often the tool of the discoverers to create more visibility for their work. This is an area of concern for the CERT/CC as we attempt to reduce any fear, uncertainty, and doubt for vendors, researchers, and the general public.

Software vulnerabilities are currently catalogued by number, primarily the Common Vulnerabilities and Exposures (CVE) ID, which makes it very easy for computer analysis and storage. However, humans aren't well conditioned to remember numbers. Instead, humans prefer names because we find them easier to remember. We don't remember IP addresses, but do easily remember domain names to browse to our favorite websites. We also name things like hurricanes, snow storms, operating system updates, particular geographic locations like cities or states, and so on. They all are named because it's easier to remember Mojave instead of Mac OS 10.14, or Pittsburgh instead of 40.4406° N, 79.9959° W.

Names of vulnerabilities, in particular, are matriculating into important spheres of influence. Case and point, on July 11, 2018, congressional testimony weighed the impacts of the "Meltdown" and "Spectre" vulnerabilities. The CVE-IDs, CVE-2017-5753, CVE-2017-5715 and CVE-2017-5754, were never mentioned, only the sensational names were.

We aren't arguing that vulnerabilities shouldn't have names, in fact, we are encouraging this process! Our goal is to create neutral names that provides a means for people to remember vulnerabilities without implying how scary (or not scary) the particular vulnerability in question is. Our neutral names are generated from the CVE IDs to provide a nice mapping between name and number. The CERT/CC decided that if we can come up with a solution to this problem, we can help with discussions about vulnerabilities as well as mitigate the fear that can be spread by a vulnerability with a scary name. We plan to name the vulnerabilities with a phrase of adjective noun, for example, Arbitrary Albatross.

When tackling this problem, we considered several lists of words to ensure no sensational, scary, or offensive names were included. We created the list of both adjective and nouns using the combined resources of the wikitionary and categories of words such as animals, plants, objects in space, and more. Next, we created the method by which we map the CVE-IDs to the pair of adjective names. After much consideration, we used the Cantor Depairing Function, which is a bijection between the natural numbers and a pair of natural numbers. This means that each natural number can be mapped to two natural numbers uniquely.

To test out this idea, we're operating @vulnonym on Twitter to publish the neutral names associated with CVE IDs as they are issued. Follow @vulnonym and let us know if this naming experiment is useful! And in case anyone considers a word or name to be offensive, we have a simple process to remove it from the corpus and re-generate a name.

About the Author