Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

NIST IR 8138 (Initial Public Draft)

Vulnerability Description Ontology (VDO): a Framework for Characterizing Vulnerabilities

Date Published: September 2016
Comments Due: October 31, 2016 (public comment period is CLOSED)
Email Questions to:

Planning Note (03/10/2022): For current information on NIST’s Vulntology Project, see


Harold Booth (NIST), Christopher Turner (BAH)


NISTIR 8138 aims to describe a more effective and efficient methodology for characterizing vulnerabilities found in various forms of software and hardware implementations including but not limited to information technology systems, industrial control systems or medical devices to assist in the vulnerability management process. The primary goal of the described methodology is to enable automated analysis using metrics such as the Common Vulnerability Scoring System (CVSS). Additional goals include establishing a baseline of the minimum information needed to properly inform the vulnerability management process, and facilitating the sharing of vulnerability information across language barriers.

This is the first of several anticipated drafts of the Vulnerability Description Ontology (VDO), which describes a methodology for characterizing vulnerabilities. The VDO is not intended to be complete at this time and the authors do not expect that this draft reflects the full breadth and depth of the information needed to fully automate the descriptions for vulnerabilities. Reviewers are asked to provide feedback on terminology that is unclear, in conflict with established practice and are encouraged to provide feedback and examples where the current draft falls short in enabling the description of a vulnerability. Future drafts will be produced attempting to incorporate feedback consistent with the purpose of the document and the goal of improving the final version.



taxonomy; vulnerabilities; software defects; vulnerability management; patching; ontology
Control Families

Configuration Management


Draft NISTIR 8138 (pdf)

Supplemental Material:
Vulntology Project -- current project on GitHub

Document History:
09/30/16: IR 8138 (Draft)


Security and Privacy

security automation, threats, vulnerability management