User Story: Security researcher for IT/Security software product

[boblord]

As a security researcher performing vulnerability analysis for a commercial IT and security platform, I struggle with inconsistent and incomplete CVE data because software manufacturers frequently delay updates, use inconsistent versioning, and omit operating system details, forcing me to manually cross-reference and clean the data to ensure accurate detections for our customers.

1. Delayed publication of CVE details
   Many software manufacturers reserve CVEs and publish security advisories but fail to update the corresponding CVE records within the required 24-hour period. This has become a growing problem, particularly with Google, which often publishes advisories and then leaves the CVE records incomplete for weeks. While short delays of a day or two may be tolerable, extended gaps undermine trust in CVE timeliness and disrupt vulnerability research workflows. In contrast, Apple generally stays within the 24–48-hour guideline, demonstrating that timely publication is feasible.

2. Inconsistent version reporting for macOS software
   macOS applications often include both app version and bundle version values in their plist files. Manufacturers vary in which version they include in CVE records, sometimes switching between them across different vulnerabilities. This inconsistency makes automated matching difficult and forces the researcher to manually compare CVE data against internal datasets. The lack of standardization increases the risk of mismatched detections and slows analysis.

3. Poor OS attribution and inconsistent CPE usage
   Mac vulnerabilities are systematically underserved compared to Windows. Many CVEs omit clear operating system identifiers, even when advisories explicitly specify the platform. For example, a CVE might describe registry keys or DLL files—implying Windows—but include a wildcard CPE string that lists no OS. When third-party CNAs are involved, their CPE formats often differ from those used by the original vendors, creating further inconsistency. These gaps make it difficult to determine whether a vulnerability applies to macOS, Windows, or both.

4. Operational impact and downstream consequences
   Because CVE data is often incomplete or ambiguous, the researcher’s team must spend significant effort normalizing records before they can be used for detections. Their customers depend on accurate OS attribution to avoid false positives—particularly to ensure that Mac detections are not triggered by Windows-only vulnerabilities. Without reliable and machine-readable fields for Product, Version, and Operating System, automation breaks down, and the cost of maintaining accurate detections falls on downstream consumers rather than the CNAs responsible for the data.