Collaborative Vulnerability Metadata Acceptance Process (CVMAP) for CVE Numbering Authorities (CNAs) and Authorized Data Publishers

Byers, Robert; Waltermire, David; Turner, Christopher

doi:https://doi.org/10.6028/NIST.IR.8246

NISTIR 8246

Collaborative Vulnerability Metadata Acceptance Process (CVMAP) for CVE Numbering Authorities (CNAs) and Authorized Data Publishers

Documentation Topics

Date Published: December 2020

Author(s)

Robert Byers (NIST), David Waltermire (NIST), Christopher Turner (NIST)

Abstract

The purpose of this document is to leverage the strength of technical knowledge provided by the Common Vulnerabilities and Exposures (CVE) Numbering Authorities (CNAs) and the application of consistent and unbiased CVE record metadata provided by the National Vulnerability Database (NVD) analysts through the formalization of a CVE record metadata submission process. This process will enable outside entities to submit CVE record metadata and allow this data to be presented to the end user with little to no NVD analyst involvement. For instances where the CVE record metadata is provided, the NVD analyst will serve in the role of auditor to ensure that consistent transparency and quality standards are applied, maintained, and communicated. Public recognition of the upstream participants’ level of effort and consistency of data will be displayed on the public NVD website’s CVE detail page to encourage and incentivize participation.

Keywords

Accreditation Level; Authorized Data Publisher (ADP); Common Vulnerabilities and Exposures (CVE); CVE Numbering Authority (CNA); submission category

Control Families

None selected

Documentation

Publication:
NISTIR 8246 (DOI)
Local Download

Supplemental Material:
National Vulnerability Database (NVD) (web)

Document History:
02/10/20: NISTIR 8246 (Draft)
12/15/20: NISTIR 8246 (Final)

Topics

Security and Privacy
audit & accountability; maintenance; security automation; vulnerability management