search menu icon-carat-right cmu-wordmark

VRDX-SIG: Global Vulnerability Identification

June 2015 Presentation
Art Manion, Takayuki Uchiyama, Masato Terada

Read about the results of the VRDX-SIG, a group chartered to develop recommendations for identifying, tracking, and exchanging information across disparate vulnerability databases.

Abstract

Like most ontological exercises, defining what exactly constitutes a software vulnerability turns out to be at least somewhat subjective. Vulnerability databases use different definitions, scopes, identification systems, and data formats. There are some well-known, comprehensive(-ish) databases like Common Vulnerabilities and Exposures (CVE) and the Open Sourced Vulnerability Database (OSVDB), and more narrowly scoped databases like Japan Vulnerability Notes (JVN) and vendor security advisories. Differences in scope and how vulnerabilities are defined and identified lead to difficulty counting, tracking, and responding.

The FIRST Vulnerability Reporting and Data eXchange Special Interest Group (VRDX-SIG) was chartered to study existing practices and develop recommendations on how to better identify, track, and exchange vulnerability information across disparate vulnerability databases.

What are the key similarities and differences across databases?

Should there be a global vulnerability identification system, and what would it look like?

This talk presents results of the VRDX-SIG's work, including a survey and catalog of vulnerability databases, a comparison of identification systems, and recommendations on how to globally identify vulnerabilities.