UK agency floats plan to overhaul vulnerability classifications

The UK’s cybersecurity regulator has pitched a plan that would see the elimination of vulnerability ratings.

The National Cyber Security Centre (NCSC) laid out a case for simplifying classification of security flaws and eliminating many of the currently used vulnerability scoring systems.

The problem, the agency said, is that with so many security vulnerabilities being disclosed, network defenders are left confused as to which patches should be prioritized and which can be addressed at a later time.

“All systems contain vulnerabilities. In fact, the number of Common Vulnerabilities and Exposures (CVEs) in commodity technology continues to rise,” the NCSC explained.

“While there are a number of factors that are driving the increasing numbers, the NCSC expect this trend to continue unless interventions are made.”

Rather than attempt to score and prioritize vulnerabilities and patches based on severity ratings, the NCSC team believes organizations should adopt a simple policy with two classifications.

Organizations would be better served by breaking vulnerabilities down into “forgivable” and “unforgivable” categories, the NCSC argued.

In the case of “forgivable” bugs, administrators can be forgiven for not patching. Such flaws are either low-risk, obscure, or in some way difficult to patch and exploit in the wild.

In the second category, there are “unforgivable” vulnerabilities. Such bugs are well-known, easily patched, or have active exploits used in the wild by threat actors.

“We know many vulnerabilities are complex and hard to avoid,” the UK governing body said.

“But vulnerabilities that are trivial to find (and that occur time and time again) are ones the NCSC are aiming to drive down at scale.”

The agency goes on to explain being able to discern the forgivable bugs from the unforgivable vulnerabilities would be important for organizations and administrators. Additionally, vendors and developers would need to do a better job of editing code and finding common vulnerabilities before they get out into the wild.

In the end, however, it is hoped that the system for classifying and disclosing vulnerabilities can be made easier to understand and manage.

“Developers and vendors need to adopt secure programming concepts and enforce their use to make it harder for the mistakes to be made at source,” NCSC explained.

“Vulnerabilities must be caught early in the development process.”