CERT/CC: ‘Sensational’ bug names spark fear, hype – so we’ll give flaws our own labels… like Suggestive Bunny

Many memorable events get named, whether they’re hurricanes, political events, or security incidents like the Morris Worm, which surfaced 32 years ago yesterday.

But named security incidents recently have editorialized their own importance with fear-mongering monikers like Heartbleed (2014), Meltdown, Spectre, and Foreshadow (2018), and Fallout and ZombieLoad (2019).

Not all do so. There have been less emotionally loaded bug names proposed, like CacheOut, CrossTalk, and RIDL, but name-amplified alarmism has become prevalent enough to prompt the infosec experts at the CERT cybersecurity division of Carnegie Mellon University’s Software Engineering Institute, to intervene.

Last month, the CERT/CC began applying names to Common Vulnerabilities and Exposures (CVE) identifiers, to make them easier to recall and less likely to cause concern.

“Sensational names are often the tool of the discoverers to create more visibility for their work,” explained Leigh Metcalf, senior network security research analyst at the CMU’s CERT/CC, on Friday. “This is an area of concern for the CERT/CC as we attempt to reduce any fear, uncertainty, and doubt for vendors, researchers, and the general public.”

The impetus for the initiative, Metcalf suggests, is that such names shape public policy debates, such as the 2018 US government hearings that mentioned Meltdown and Spectre.

On October 16, via the Twitter bot dubbed Vulnonym, CERT/CC began proposing randomized adjective noun combinations for CVE designations. So instead of referring to vulnerabilities like the recent Windows kernel flaw with a yawn-inducing identifier like CVE-2020-17087, the group is proposing auto-assembled nicknames like Unsure Ensemble, Shapeless Screwdriver, and Unmarked Slapstick. And Suggestive Bunny.

Metcalf says the goal is to create “neutral names” that manage to be memorable without commenting on the severity of the flaw.

CERT’s naming scheme draws from a list of adjectives and nouns culled from Wiktionary and various word categories like animals, plants, space objects, and so on. These then get mapped to the digits in the CVE number using the Cantor Depairing Function. The results often sound like Ubuntu Linux release code names.

“When tackling this problem, we considered several lists of words to ensure no sensational, scary, or offensive names were included,” explained Metcalf, perhaps unaware that CVE-2020-9875 was dubbed Scary Seine.

But neutral language is a challenge because individually innocuous words may become less so in combination and because context matters when it comes to meaning. Some of the names issued invite a snicker on their own, like Canny Lumpsucker.

Others might be seen as provocative, if Grizzled Serf referred to an Amazon-related vulnerability or Filthy Python referred to a flaw in an adult toy. And what to make of Headed Bottom and Perceptive Ejaculate?

At least such issues have been anticipated. Metcalf says there’s a simple process to remove offensive names from the data set and regenerate them. She doesn’t specify what that process is or propose criteria for assessing objectionable combinations.

Perhaps the complaint process will follow the current standard for customer support – raising a ruckus on social media. ®

READ MORE HERE