Security News > 2022 > April > Firms Push for CVE-Like Cloud Bug System
MITRE, the non-profit organization behind the CVE system, does not designate CVE IDs for security issues deemed to be the responsibility of cloud providers.
The assumption is that cloud providers own the problem, and that assigning CVEs that are not customer-controlled or patched by admins falls outside of the CVE system purview.
"As we uncover new types of vulnerabilities, we discover more and more issues that do not fit the current model," wrote cloud researchers Alon Schindel and Shir Tamari with the cloud security firm Wiz, in a post.
The researchers acknowledged that cloud service providers do respond quickly to cloud bugs and work fast to mitigate issues.
The CVE approach to cloud bugs also has the support of the Cloud Security Alliance, which counts Google, Microsoft and Oracle as executive members.
"At times, some of the CVE Board has advocated for CVEs to expand to cover cloud vulnerabilities, while others argue against it. At least one who advocated for CVE coverage said they should get CVE IDs, [with] others that supported and disagreed with the idea saying that if cloud was covered, [those bugs] should get their own ID scheme," he wrote.