CVE 25th Anniversary
On the long-term scale of human history, 25 years is nothing.
Read post
On the long-term scale of human history, 25 years is nothing. But on the Internet, 25 years is a very long time!
In 1999, maybe you connected to the World Wide Web via a 33.6 Kbps modem in your living room, so you could do an AltaVista search for the latest updates on the Y2K problem. Or maybe you mostly used your dialup connection to send email through your AOL account. Or perhaps you didn’t even have Internet access at home yet at all! But plenty of companies, organizations, and governments were already using the Internet to get their business done.
As anyone who has ever used any software knows, no matter how careful programmers are, software will have bugs in it. Some bugs are minor and fairly benign, while others are much more significant and widespread. Researchers at MITRE recognized that it would be essential to have a central clearinghouse of information about these important software vulnerabilities to ensure that they could be addressed properly, which led to the creation of the Common Vulnerabilities and Exposures (CVE) Program in 1999.
ISC is proud to have been a participant in the program since its inception, and is pleased to help commemorate its 25th anniversary in October 2024. Since the program’s earliest days, ISC has been responsibly reporting software vulnerabilities. The first BIND CVE, CVE-1999-0186, was published on September 29, 1999, and there have been approximately 100 more BIND CVEs since then.
It’s hard to be excited about finding major bugs in our software, but ISC devotes significant resources to maintaining a system for soliciting, analyzing, responding to, fixing, and disclosing any security vulnerabilities that are discovered. We try to be transparent with our users so that they can feel confident that, even when a vulnerability is found, we will address it appropriately. We maintain a matrix of BIND vulnerabilities at https://kb.isc.org/docs/aa-00913 that users are encouraged to consult at any time, and invite anyone who thinks they may have uncovered a BIND security issue to follow the instructions at https://www.isc.org/security-report.
As the CVE program has evolved, we have joined it as a Numbering Authority so we can assign our own CVE identifiers; we also coordinate with other vendors, researchers, and organizations to manage protocol-wide vulnerabilities.
For anyone interested in learning more about the CVE scoring process and how it applies to the DNS, ISC staff member Cathy Almond will be presenting at the upcoming DNS-OARC 43 meeting in Prague on October 27, 2024; details are at https://indico.dns-oarc.net/event/51/contributions/1096/.
ISC remains committed to responsibly reporting CVEs in any of our software, as part of our mission to keep the Internet safe and open to all. We thank The MITRE Corporation, the Homeland Security Systems Engineering and Development Institute (HSSEDI), and the U.S. Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) for their longtime stewardship of the CVE program. Read the 25th Anniversary Report at https://www.cve.org/Resources/Media/Cve25YearsAnniversaryReport.pdf.