[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Vulnerability Description Ontology



This might come off like a rant but it's really not

NVD (namely, Harold) has been working on a bigger and better structured format for security bug data for ages, especially since CVRF came out, and was/is basically an advisory format so multiple incumbent vendors share testing and patch data.

This ontology m,from my perspective, is a strong attempt at creating a way for security-affecting bug knowledge to be captured in a structure that accommodates for all the wacky use cases we've learned about over the decades (decades!) so that various collectors, curators and creators of such data can share alike.

A few years ago it was okay to have proprietary scripts and expert knowledge serving the purpose, but now there's too many vulns (with and without CVEs) and too many DBs and tools. Harold's ontology draft is the beginning of a better and more systematic approach.

Did I overdo it? Am I false?



Tom Millar, US-CERT

Sent from +1-202-631-1915
https://www.us-cert.gov
 

From: owner-cve-editorial-board-list@lists.mitre.org on behalf of jericho
Sent: Wednesday, October 05, 2016 11:37:19 PM
To: Booth, Harold (Fed)
Cc: cve-editorial-board-list@lists.mitre.org
Subject: Re: Vulnerability Description Ontology

: This is the first of hopefully several drafts and we are looking at the
: comments to see in which ways we need to modify in order to satisfy the
: needs for vulnerability management.

I am curious what perceived 'gap' in vulnerability management this is
designed to fill. Can you elaborate on the origins of this initiative?

Brian

Page Last Updated or Reviewed: October 06, 2016