Generating names for vulnerabilities. Colleagues who work on attack attribution have a funny habit of naming attack groups according to some scheme. For example, Midnight Blizzard or Mysterious Werewolf. 🙂 I thought, why can’t we name vulnerabilities in a similar way?
For example, Remote Code Execution – Windows NAT (CVE-2024-38119)
🔹 We transform vulnerability types into consonant names of animals. RCE – let it be Racoon. For EoP it can be Elephant, for Memory Corruption – Monkey, etc.
🔹 Based on software names, we automatically select adjectives that begin with the same letters. “Windows NAT” -> “Windy Nautical”.
🔹 There can be many vulnerabilities of the same type in the same product. Therefore, we generate combinations of adverbs and past participles (6940230 combinations), and then map CVE identifiers into them. CVE-2024-38119 -> 202438119 -> “2438119”: “inquisitively underspecified”
Thus we get: “Inquisitively Underspecified Windy Nautical Racoon”. 🙂