A flaming meteor streaking across the night sky.

The entirely predictable problems with the Vulnonym naming scheme

Security researchers increasingly give security vulnerabilities they discover a unique and memorable name and logo. Names (and cute logos) generate more exposure for the vulnerability and the researchers who found it. The Computer Emergency Response Team Coordination Center (CERT/CC) believes this naming trend invokes “fear, uncertainty, and doubt for vendors, researchers, and the general public.” To address the situation, it has introduced Vulnonyms: a system for automatically naming vulnerabilities. What could possibly go wrong⸮

Security vulnerabilities are often entered into the Common Vulnerabilities and Exposures (CVE) database and assigned a CVE ID number. These numbers are in the format CVE-YEAR-NUMBER, e.g. CVE-2020-12345. These identifiers, unlike the names assigned by researchers, aren’t memorable.

Vulnonyms is supposed to fill the gap between a memorable name and a CVE ID. A vulnonym consists of an adjective followed by a noun. The words are picked from a curated dictionary list that corresponds to the vulnerability’s CVE ID. Stated goals for the project include “stopping the naming madness” and “ensur[ing] no sensational, scary, or offensive names were included.” The scheme is experimental and CERT/CC currently only publishes the names in a Twitter feed of new CVEs.

The results of any effort to let a computer name things are quite predictable. The first name I saw on the Twitter feed was “Terrible Meteor”: a quite sensational and scary name that might imply an imminent apocalypse. The feed is also filled with other unfortunate names like “Suggestive Bunny” and “Brisk Squirt.”

CERT/CC hasn’t released the exact list of dictionary words or the algorithm used to select the names. However, it says it has scrubbed the dictionary to avoid unfortunate names. It has a process ready to generate new names for researchers whose work is assigned unflattering names.

The problem with using words for naming things is that words have meanings. You can’t randomly combine words into phrases without — at least sometimes — creating meaning and associations. People can’t turn off the part of their brain that spot patterns and try to glean meaning from what is supposed to be an arbitrary random name. This strategy doesn’t even work when combining random letters, as you end up with things like a barcode that reads “BUMSEX” for a postal vote on same-sex marriage equality.

Would you expect that a security vulnerability named “Filthy Python” perhaps had something to do with a memory-buffer overflow in the popular Python programming language? Well, it doesn’t. It refers to a security vulnerability in an open-source video-conferencing platform that is built in a long list of programming languages not including Python.

How about “Hazy Bit”? Surely that must be a new processor side-channel vulnerability in the Spectre/Meltdown family? Nope, it’s a bug in Trend Micro Antivirus that can crash your Mac. “Untreated Drive” must surely be some kind of exploit involving tomfoolery with a storage drive controller driver? Again no, it’s an attacker-in-the-middle vulnerability in Synology network routers.

Many of the vulnonyms in the Twitter feed uses uncommon words with difficult spelling and pronunciation. You need a dictionary and a thesaurus at hand to know what they mean and how they’re pronounced.

I’ve selected some fun examples from the Twitter feed for this article to prove a point. I hope CERT/CC will drop its ill-conceived naming scheme. After all, it had an entirely “Predictable Outcome.”