The National Institute of Standards and Technology (NIST), which maintains a database of product software vulnerabilities as a public reference, Thursday invited closer contact with industry to clarify and resolve disputed vulnerability information.
Peter Mell, senior computer scientist at NIST, the federal agency which manages the National Vulnerability Database (NVD), said NIST will now work more closely with vendors by allowing them to post information clarifying how vulnerabilities may or may not affect their products.
Mell, the NVD program manager, said the idea originated through Red Hat, which has become the first vendor given the right to post official statements about how vulnerabilities listed in the NVD could affect their products.
“Up until today, there’s been no way for software developers to publicly address these vulnerabilities in any discussion about their products,” Mell said. “There’s a rapid flurry of activity that happens when a vulnerability is announced. It’s an extremely fast process and can be error-prone.”
The NVD now contains information on 19,200 vulnerabilities identified in software products over the past eight years. The NVD receives input on vulnerabilities from Mitre based on the Common Vulnerabilities and Exposures naming standard as well as vulnerabilities independently reported by researchers to NIST.
NIST aggregates vulnerability data believed to be accurate with information that references vendors and their products. Sometimes the impact of a vulnerability is disputed in various ways. While vendors can post their opinions on their own Web sites or elsewhere, until now vendor statements on vulnerabilities weren’t directly included in the NVD.
“Red Hat came to us in the middle of the summer with this idea of providing comments on the Common Vulnerabilities and having their official statement posted,” Mell said. NIST decided that if vendors were authorized to do this through real-time postings, it could help in providing a forum for discussion in resolving misunderstandings or disputes.
“They can provide configuration and remediation guidance and clarify how vulnerabilities impact their products,” Mell said.
More detailed information could be important because the NVD is a source of reference for security products, such as vulnerability scanners. “The NVD is offered completely free and it gets 25 million hits per year,” Mell said.
Vendors that wish to be able to post official statements on the NVD in reference to NVD-listed vulnerabilities are invited to contact NIST personnel by e-mailing their request.
Rss FeedRss Feed
The Leader in Network Knowledge
Comment