Security Industry Call-to-Action: We Need a Cloud Vulnerability Database

Conference:  BlackHat USA 2021



The presentation discusses the need for a new identifier and open database for cloud vulnerabilities due to the current CVE model being insufficient for cloud vulnerabilities.
  • Current CVE model is insufficient for cloud vulnerabilities
  • Cloud vulnerabilities need a new system to handle them
  • Examples of cloud vulnerabilities are presented
  • Proposal for a new identifier and open database for cloud vulnerabilities is introduced
  • Community involvement is necessary to solve cloud vulnerability issues
The presentation highlights the issue of a new CSO being responsible for cloud security and not having a clear solution for cloud vulnerabilities. The current CVE system does not cover cloud vulnerabilities, and there is no centralized location for information on these vulnerabilities. An example of an AWS email that did not clearly identify a vulnerability is given to illustrate the lack of transparency from cloud providers.


The shared responsibility model is broken. Companies are unable to keep up with cloud complexity, while vendors and cloud providers do not provide clear identification, tracking or severity for vulnerabilities discovered in their platforms. Moreover there is an inherent lack of transparency, as cloud providers do not share full details of exposure, impact, or mitigation steps for vulnerabilities discovered in their platform. Join the Wiz Research Team who uncovered several unprecedented cloud vulnerabilities in AWS, GCP and Azure in their journey and conclusions from the disclosure process. We will review key learnings and insights from OMIGOD, ChaosDB and AWS IAM cross-account vulnerabilities we uncovered. In this session we will make the case for extending the current CVE model to be more cloud friendly as the current model is broken and call everyone to join the movement for change.