CVE Project planning for beyond hole 9999
It's likely that the number of officially reported vulnerabilities will increase significantly in the future and that is why the MITRE Corporation, home of the Common Vulnerabilities and Exposures (CVE) project, is planning a change in the way it counts those vulnerabilities. So far, up to 9999 bugs per year can be registered, but after the switch, to be enacted in January 2014, anywhere up to 999,999 holes could get their own CVE numbers.
Overall, there are three proposed counting systems. One would allow the CVE numbers to be created with six digits and leading zeros (for example, CVE-2014-000001), another would have leading zeroes for numbers up to 999, then drop the leading zeroes and allow for any number of digits (CVE-2014-0001 or CVE-2014-54321) and a third would have arbitrary digits and a check digit calculated with the Luhn Check Digit Algorithm (giving numbers such as CVE-2014-1-8, CVE-2014-9999-4 or CVE-2014-123456-5).
Because of the impact these changes will have on automated systems that handle CVE numbers, MITRE is consulting the public through the RSA Conference, where it will have representatives available to discuss the issues, and is accepting feedback by email to [email protected] or to any of the public email lists it has set up.
(djwm)