Spectre. Meltdown. Dirty Cow. Heartbleed.

All of these are vulnerabilities that were named by humans, sometimes for maximum impact factor or marketing. Consequently, not every named vulnerability is a severe vulnerability despite what some researchers wanting you to think! Sensational names are often the tool of the discoverers to create more visibility for their work. This is a current challenge problem for the CERT/CC. We hope to reduce any fear, uncertainty, and doubt for vendors, researchers, and the general public.

Software vulnerabilities are currently categorized by number, primarily the Common Vulnerabilities and Exposures (CVE) ID, which makes it very easy for computer analysis and storage. However, humans aren't well conditioned to remember numbers, instead, Humans prefer names because we find them easier to remember. We don't remember IP addresses, but do easily remember domain names to browse to our favorite websites. We also name things like hurricanes, snow storms, operating system updates, particular locations like cities or states, and so on. They all are named because it's easier to remember Mojave instead of Mac OS 10.14, or Pittsburgh instead of 40.4406° N, 79.9959° W.

Names of vulnerabilities, in particular, are matriculating into important spheres of influence. Case and point, on July 11, 2018, congressional testimony weighed the impacts of the "Meltdown" and "Spectre" vulnerabilities. The CVE-IDs, of course, were never mentioned, only the sensational names were.

We aren't arguing that vulnerabilities shouldn't have names, in fact, we are encouraging this process! Our goal is to create neutral names that provides a means for people to remember vulnerabilities without implying how scary (or not scary) the particular vulnerability in question is. Our neutral names correspond to the CVE IDs to provide a nice mapping between name and number. The CERT/CC decided that if we can come up with a solution to this problem, we can help with discussions about vulnerabilities as well as mitigate the fear that can be spread by a vulnerability with a scary name. We plan to name the vulnerabilities with a phrase of adjective noun, for example, Arbitrary Albatross.

When tackling this problem, we considered several lists of words to ensure no sensational, scary, or offensive names were included. We created the list of both adjectives and nouns using the combined resources of the Wiktionary and categories of words such as animals, plants, objects in space, and more. Next, we created the method by which we map the CVE-IDs to the pair of adjective names. After much consideration, we used the Cantor Depairing Function, which is a bijection between the natural numbers and a pair of natural numbers. This means that each natural number can be mapped to two natural numbers uniquely.

CERT/CC is happy to announce the creation of a new twitter account, Vulnonym, that will publish the neutral names associated with CVE IDs as they are issued. Follow the account to see the new names. (https://twitter.com/vulnonym/)