To know a threat, you have to name it. And before bugs got sexy brands like Heartbleed and Shellshock, a little-known but vital database tracked them by number.

Now, the Common Vulnerabilities and Exposures list, a 17-year-old database backed by the Department of Homeland Security and maintained by nonprofit government contractor Mitre, faces a flood of new bugs it has admitted it can’t handle. A proposal to update its operations is stalled amid infighting among experts.

Hundreds of software programs that guard against cyberthreats use the list’s nomenclature, and security researchers view getting a CVE number as a credential of sorts — a sign of legitimacy for their efforts to poke holes in software so they can be fixed before hackers exploit them.

Larry Cashdollar, a senior engineer at Akamai Technologies, still remembers when an odd flaw he found in a music-synthesizer program became CVE-1999-0765.

He was 23 when he discovered that ripping through the on-screen piano keys gave him administrative access to a Silicon Graphics workstation computer. He didn’t even have to contact CVE administrators to get his bug listed; he just sent a message about it to a popular bug-tracking email list, and someone picked it up from there.

With more than a hundred CVE numbers to his name, you would think Cashdollar could get administrators’ attention. He has hundreds of newly discovered bugs to report that affect WordPress, an online publishing tool used by more than a quarter of all websites — a problem that would seem to fall under the list’s charter. But the New Hampshire security researcher says a CVE number has become something he can’t beg, steal, borrow or barter.

“Two years ago or so, I could get a number in about 24 hours,” he said. Now, he added, he is “completely ignored.”

The fundamental problem with the list — why Cashdollar and other researchers have to take a metaphorical number to get a literal one — is that the nature of software has changed. The list lets big hardware and software makers act as “naming authorities” who can add bugs on their own, drawing on blocks of preassigned numbers. Those companies include Adobe, Apple, Cisco, Google and Oracle.

Yet that elite group excludes companies like Automattic, the maker of WordPress; Salesforce and Twitter, whose Heroku and Fabric software runs other companies’ mobile apps; and many others. Those still having that power include fading tech names like BlackBerry, Novell and Silicon Graphics.

“Unfortunately, CVE can no longer guarantee full coverage of all public vulnerabilities,” wrote the list’s original editor, Steve Christey Coley, in a 2013 email. Christey Coley resigned as the list’s editor in October, though he remains employed by Mitre and is working on other cybersecurity projects.

Proposals to upgrade the list have stalled. While Mitre has an annual budget of roughly $1.3 billion, according to government filings, only a tiny percentage goes to CVE and related projects. For years, CVE was run by a two-person staff, and even now, fewer than 10 people work on it, according to a Mitre spokesman.

At the same time, the need for CVE has spread far beyond its original mission. Software is no longer limited to computer desktops, laptops and servers. Now cars, refrigerators, watches, thermostats and televisions have Internet-connected operating systems that are vulnerable to hackers.

“The recent explosion of Internet-enabled devices — known as the Internet of Things — as well as the propagation of software-based functionality in systems has led to a huge increase in the number of CVE requests we have been receiving on a daily basis. We did not anticipate this rate of growth, and, as a result, were not as prepared for the latest surge in requests over the past 12 months as we had hoped,” reads an update posted at the top of the list’s homepage.

Big discrepancies

Meanwhile, companies struggle to secure themselves.

“What’s happening is that there is a deviation between ‘publicly known’ and ‘actually known,’ and that’s dangerous,” said security researcher Dan Kaminsky.

There are other databases, such as Exploit-DB, that are publicly available to search. Risk Based Security in Richmond, Va., maintains the VulnDB directory for paying customers.

These paid bug databases can be more comprehensive. By the end of 2015, for instance, VulnDB had recorded roughly 6,000 more issues than CVE, according to a report. But it’s harder for companies, researchers and government agencies to work together to fix bugs that lack a common name.

Since 2009, Mitre has been considering a new “federated” system, where anyone will be able to report issues related to any kind of software, in contrast to the current top-down system.

“On Day 1, anyone can request an ID,” said Chris Levendis, Mitre’s standards and technology project lead, of the proposed system. “If it meets the appropriate parameters, we’ll issue them a federated CVE ID.”

Those parameters, Levendis said, “are still under discussion.”

Even a seemingly obscure proposal to change the format of CVE numbers created a storm of dissent from members of the editorial board that advises Mitre on maintaining the list.

“This breaks every piece of CVE software currently in existence,” wrote Red Hat information security analyst Kurt Seifried, a member of the editorial board, in an email on March 17 to other board members. “Before the industry collectively puts a few tens (or) hundreds of thousands of hours of work and quite a lot of money into supporting this, is there any guarantee from Mitre that this is a long-term project?”

Other board members echoed Seifried’s concerns.

Jennifer Lang, a spokeswoman for Mitre, said the project had abandoned that specific proposal and postponed the trial of federated CVE numbers.

“CVE is for coordination of vulnerability information for products and sources that are the most important to the most people.”

Going downhill

Seifried said the situation has gotten progressively worse since Christey Coley resigned.

“He’s the reason that CVE and Mitre worked for as long as they did,” said Seifried. “He carried it on his shoulders. They had this guy who never slept and drank a lot of coffee. And that’s great, until it isn’t.”

This month, Seifried, who remains a CVE editorial board member, unveiled a potential replacement for the list called the Distributed Weakness Filing System. Individuals would get blocks of numbers they could assign to bugs as they choose, with volunteer coordinators funneling those bugs to an authoritative list.

“For this to scale, it needs to be in the hands of the (security) community, unless Mitre hires a thousand analysts tomorrow,” Seifried said. “If I can't trust guys like Larry Cashdollar to assign numbers, then I can’t trust anyone at this point.”

In February, after Cashdollar discovered more than 1,300 flaws found in roughly 950 WordPress plug-ins — add-ons that customize the publishing software — he didn’t even think to alert Mitre.

“I couldn’t fathom them acknowledging 1,000-plus security vulnerabilities,” he said. “They would be processing those plug-ins for the next decade.”

Instead, he told a group of volunteers who maintain WordPress’ open-source software. They’re still sorting out the reports, Cashdollar said, with no estimate of when they’ll all be fixed.

To label those bugs, Seifried gave Cashdollar a block of numbers under his new system.

Cashdollar did end up sending an email to Mitre — the only option for independent researchers like him to submit a bug in software that falls outside CVE’s list of companies it tracks.

“I never got a response back,” he said. “I didn’t expect one, either.”

Sean Sposito is a San Francisco Chronicle staff writer. Email: ssposito@sfchronicle.com Twitter:@seansposito