Date Published: September 2016
Comments Due: October 31, 2016 (public comment period is CLOSED)
Email Questions to: firstname.lastname@example.org
Harold Booth (NIST), Christopher Turner (BAH)
NISTIR 8138 aims to describe a more effective and efficient methodology for characterizing vulnerabilities found in various forms of software and hardware implementations including but not limited to information technology systems, industrial control systems or medical devices to assist in the vulnerability management process. The primary goal of the described methodology is to enable automated analysis using metrics such as the Common Vulnerability Scoring System (CVSS). Additional goals include establishing a baseline of the minimum information needed to properly inform the vulnerability management process, and facilitating the sharing of vulnerability information across language barriers.
This is the first of several anticipated drafts of the Vulnerability Description Ontology (VDO), which describes a methodology for characterizing vulnerabilities. The VDO is not intended to be complete at this time and the authors do not expect that this draft reflects the full breadth and depth of the information needed to fully automate the descriptions for vulnerabilities. Reviewers are asked to provide feedback on terminology that is unclear, in conflict with established practice and are encouraged to provide feedback and examples where the current draft falls short in enabling the description of a vulnerability. Future drafts will be produced attempting to incorporate feedback consistent with the purpose of the document and the goal of improving the final version.
Keywords ontology; patching; taxonomy; vulnerabilities; software defects; vulnerability management