What is the DWF?
Previous attempts to work with the legacy MITRE CVE ID system.
The DWF was a CNA previously however is not one currently. Additionally Kurt Seifried is no lonmger a CVE board member having resigned in Jan 2021 (https://cve.mitre.org/community/board/index.html).
Yes, the CVE standard was amended almost a decade ago, previously the CVE standard specified CVE-YEAR-NNNN using a hard coded 4 digit maximum ID, so there could only be 9,999 CVE ID’s per year. This was changed to include the original format for the first 9,999 with 10,000 and up just using the integer with no leading zeros. Some examples of blocks of large integer CVEs include:
https://nvd.nist.gov/vuln/detail/CVE-2015-1000000 - https://nvd.nist.gov/vuln/detail/CVE-2015-1000013
https://nvd.nist.gov/vuln/detail/CVE-2016-1000000 - https://nvd.nist.gov/vuln/detail/CVE-2016-1000369
https://nvd.nist.gov/vuln/detail/CVE-2017-1000001 - https://nvd.nist.gov/vuln/detail/CVE-2017-1002201
https://nvd.nist.gov/vuln/detail/CVE-2018-1000001 - https://nvd.nist.gov/vuln/detail/CVE-2018-1002209
https://nvd.nist.gov/vuln/detail/CVE-2018-1999001 - https://nvd.nist.gov/vuln/detail/CVE-2018-1999047
https://nvd.nist.gov/vuln/detail/CVE-2019-1000001 - https://nvd.nist.gov/vuln/detail/CVE-2019-1003099
https://nvd.nist.gov/vuln/detail/CVE-2019-1010003 - https://nvd.nist.gov/vuln/detail/CVE-2019-1010319
https://nvd.nist.gov/vuln/detail/CVE-2019-1020001 - https://nvd.nist.gov/vuln/detail/CVE-2019-1020019
Simple: DWF uses 1000000 and up, MITRE has only ever assigned a maximum of 16,000 CVE’s per year (for the last 4 years in fact).
Kurt Seifried: I was on the board and I don’t know. All I know is MITRE takes CVE data from the cvelist GitHub repo, feeds it into some system on MITREs end and then recommits it into GitHub. Sometimes it removes line feeds, although it’s not clear if this is an automated or manual process. If someone from MITRE would like to clarify or explain what the backend was we’d love to update this information.
By YEAR we see the following trend over 10 years:
|Year||Number of Legacy CVE ID’s assigned||REJECT (assigned and then removed)|
This data was pulled on 2021-04-08 from allitems.csv (https://cve.mitre.org/data/downloads/), the second column is assigned legacy CVE IDs (no REJECT or RESERVED), the third column is all the legacy CVE IDs marked as REJECT’ed. You can confirm this via:
curl -fsS https://cve.mitre.org/data/downloads/allitems.csv | grep ^CVE | grep -v RESERVED | grep -v REJECT | cut -d"-" -f2 | uniq -c
One concern people have is that people will submit duplicate security identifier requests for existing CVEs. If notified of a duplicate the DWF will check the NVD database to confirm the duplicate and we will then mark our CVE as a duplicate since we can correct this much faster and easier than MITRE can.
So far as of 2021-04-19 this has not been a significant problem even though there are 3 duplicated entries:
CVE-2021-1000001 assigned by the DWF on Mar 8 07:12:10 2021
CVE-2021-26806 assigned by MITRE on Apr 14 14:00:43 2021
So MITRE was over a month late and MITRE could have easily found this in the DWF database.
CVE-2021-1000006 assigned by the DWF on Mar 16 11:39:05 2021 +0000
CVE-2021-28543 assigned by MITRE on Mar 16 15:00:44 2021 +0000
So 3+ hours late and MITRE could have easily found this in the DWF database.
CVE-2021-1000007 assigned by the DWF Mar 18 16:23:10 2021
CVE-2021-29932 assigned by MITRE Apr 1 05:00:39 2021
So MITRE was 2 weeks late and MITRE could have easily found this in the DWF database.
It appears that MITRE is either scraping the DWF database for entries, or taking so long to assign CVEs that people are giving up and coming to the DWF project, or both.