The UK’s National Cyber Security Centre (NCSC) has proposed discarding the current vulnerability scoring systems and replacing them with a simplified classification approach, according to
SC Media.
The NCSC points out that the increasing number of Common Vulnerabilities and Exposures (CVEs) is overwhelming network defenders, making it challenging to prioritize patches.
"While there are a number of factors that are driving the increasing numbers, the NCSC expects this trend to continue unless interventions are made," the NCSC said.
The agency proposes categorizing vulnerabilities into two groups: "forgivable" and "unforgivable." Forgivable vulnerabilities are low-risk, obscure, or difficult to exploit, meaning administrators are not expected to patch them immediately. In contrast, unforgivable vulnerabilities are easily exploitable or well-known flaws that require immediate attention.
"Vulnerabilities that are trivial to find (and that occur time and time again) are ones the NCSC are aiming to drive down at scale," it said.
The organization also pointed out the need for better secure programming practices to reduce such flaws at the development stage. By adopting this simpler approach, the NCSC hopes to make vulnerability management more straightforward for organizations and encourage developers to address security issues early in the development process.