In an attempt to reduce the use of sensationalized and scary vulnerability names, the CERT/CC team launched a Twitter bot that will assign random and neutral names to every security bug that receives a CVE identifier.
Named Vulnonym[1], the bot is operated by the CERT Coordination Center (CERT/CC) at the Carnegie Mellon University, the first-ever CERT team created, and now a collaborator and partner of the DHS' official US-CERT team.
The idea for this bot came after the seemingly unending discussions around the topic "if vulnerabilities should have names?"
The problem with vulnerability names
For decades, all major security flaws have been assigned a CVE identifier by the MITRE Corporation. This ID is usually in the format of CVE-[YEAR]-[NUMBER], such as CVE-2019-0708.
These CVE IDs are usually used by security software to identify bugs, track, and monitor bugs for statistical or reporting purposes, and CVE IDs are rarely used by humans in any meaningful way.
Over the years, some security firms and security researchers realized that their work in identifying important bugs could easily get lost in a constant stream of CVE numbers that almost everyone has a hard time remembering.
Companies and researchers realized that the bugs they discovered had more chances to stand out if the bug had a cool-sounding name.
And so the practice of "bug naming" came to be, with the best-known examples being Spectre[2], Meltdown[3], Dirty Cow[4], Zerologon[5], Heartbleed[6], BlueKeep[7], BLESA[8], SIGRed[9], BLURTooth[10], DejaBlue[11], or Stagefright[12].
But as time went by, some vulnerability names started to deviate from being descriptive of a security bug and entered the realm of fearmongering and attention-seeking, becoming a marketing shtick.
Things reached a ridiculous