Date Published: February 2020
Comments Due:
Email Questions to:
Author(s)
Robert Byers (NIST), David Waltermire (NIST), Christopher Turner (CocoaSystems)
Announcement
The number of Common Vulnerabilities and Exposures identifiers (CVE IDs) created year over year has rapidly increased, and this trend is expected to continue indefinitely. Currently, a National Vulnerability Database (NVD) analyst manually reviews each CVE and attaches multiple forms of CVE metadata used by downstream consumers to prioritize and assist automated vulnerability scanning tools. This is a manually intensive process, and in many cases, this metadata is provided by the source, or CNA (CVE Numbering Authority), of the CVE with no policies or procedures in place to validate and accept the information.
This draft NISTIR seeks to leverage the strength of technical knowledge provided by the CNAs and the application of consistent and unbiased CVE metadata provided by NVD analysts through the formalization of a CVE entry metadata submission process. This will allow for a more efficient integration of the CNAs’ efforts into the NVD analyst workflow, which will directly benefit downstream users and improve the security of our national IT infrastructure.
NOTE: A call for patent claims is included on page iii of this draft. For additional information, see the Information Technology Laboratory (ITL) Patent Policy—Inclusion of Patents in ITL Publications.
The purpose of this document is to leverage the strength of technical knowledge provided by the Common Vulnerabilities and Exposures (CVE) Numbering Authorities (CNAs) and the application of consistent and unbiased CVE metadata provided by the National Vulnerability Database (NVD) analysts through the formalization of a CVE metadata submission process. This process will enable outside entities to submit CVE metadata and allow this data to be presented to the end user with little to no NVD analyst involvement. For instances where the CVE metadata is provided, the NVD analyst will serve in the role of auditor to ensure consistent quality and integrity standards are applied, maintained, and communicated. Public recognition of the upstream participants’ level of effort and quality of data will be displayed on the public NVD website’s CVE detail page to encourage and incentivize participation.
The purpose of this document is to leverage the strength of technical knowledge provided by the Common Vulnerabilities and Exposures (CVE) Numbering Authorities (CNAs) and the application of consistent and unbiased CVE metadata provided by the National Vulnerability Database (NVD) analysts through...
See full abstract
The purpose of this document is to leverage the strength of technical knowledge provided by the Common Vulnerabilities and Exposures (CVE) Numbering Authorities (CNAs) and the application of consistent and unbiased CVE metadata provided by the National Vulnerability Database (NVD) analysts through the formalization of a CVE metadata submission process. This process will enable outside entities to submit CVE metadata and allow this data to be presented to the end user with little to no NVD analyst involvement. For instances where the CVE metadata is provided, the NVD analyst will serve in the role of auditor to ensure consistent quality and integrity standards are applied, maintained, and communicated. Public recognition of the upstream participants’ level of effort and quality of data will be displayed on the public NVD website’s CVE detail page to encourage and incentivize participation.
Hide full abstract
Keywords
Accreditation Level; Authorized Data Publisher (ADP); Common Vulnerabilities and Exposures (CVE); CVE Numbering Authority (CNA); Submission Category
Control Families
None selected
