Vulnerability Reporting and Data eXchange SIG (VRDX-SIG)

Mission

VRDX-SIG is primarily chartered to research and recommend ways to identify and exchange vulnerability information across disparate vulnerability databases.

Vulnerability databases have different scopes, areas of coverage, identification systems, data schemes, feeds, and supporting languages. These differences lead to difficulty tracking and responding to vulnerability reports. By studying existing practices, the SIG seeks to develop recommendations on how to better identify, track, and exchange vulnerability information across disparate vulnerability databases.

Goals

During the first phase (2013 - 2015), the SIG surveyed vulnerability databases and ID systems, started development of a vulnerability database catalog, and presented on the major issues surrounding vulnerability ID systems, namely abstraction, duplication, and coverage. For the second phase, starting in 2015, the SIG will work towards the following goals.

  • Vulnerability ID Cross Reference System
    Develop vulnerability ID cross reference system. Test with two or more vulnerability databases. Publish documentation and test results. Consider integration with Vulnerability Data Model.
  • Vulnerability Data Model
    Consider including cross reference system in a more comprehensive vulnerability data model, developing such a model within the SIG, contributing to such a model outside of the SIG, and develop requirements for a minimum model to support the cross reference system.
  • Vulnerability Database Catalog
    Develop and publish a catalog of vulnerability databases. Maintain at best effort, consider open or crowd-sourced maintenance options.
  • Vulnerability Disclosure Policy Catalog
    Develop and publish a catalog of vulnerability disclosure and handling policies and frameworks. Maintain at best effort, consider open or crowd-sourced maintenance options.

Planned Meetings

  • VRDX-SIG: Global Vulnerability Identification
    27th Annual FIRST Conference
    Berlin, (DE) June 18, 2015

    This talk presented results of the VRDX-SIG's work, including a survey and catalog of vulnerability databases, a comparison of identification systems, and recommendations on how to globally identify vulnerabilities.

  • Future of Global Vulnerability Reporting Summit
    Kyoto 2012 FIRST Technical Colloquium
    Kyoto, (JP) November 13-15, 2012

    Future of Global Vulnerability Reporting Summit focuses on Current challenges & issues (coverage, scale, numbering and etc.) and proposed solutions of vulnerability tracking, especially "Global Vulnerability Identification Scheme". Currently one of the most well known vulnerability identification schemes is Common Vulnerabilities and Exposures (CVE). CVE is used by many organizations throughout the world for cross-referencing vulnerabilities across various databases. However, the current process governing CVE has its limitations and has not been able to keep up with the ever increasing number of vulnerabilities being discovered and made public each year. At first, we would like to discuss the limitations of the current process, and how organizations currently use CVE to link their databases across the globe to for crossreferencing vulnerabilities. Second, we would like to discuss the next steps for challenge of "Global Vulnerability Identification Scheme" on the final day.

  • Global Vulnerability Reporting & Identification
    8th Annual IT Security Automation Conference
    Baltimore, (US) October 3rd to 5th, 2012

  • Future of Global Vulnerability Reporting
    7th Annual IT Security Automation Conference
    Arlington, (US) October 31st to November 2nd, 2011

Vulnerability Reporting and Data eXchange SIG (VRDX-SIG)

Chair

Art Manion, CERT Coordination Center

VRDX-SIG secretariat

Masato Terada, Hitachi Incident Response Team
Taki Uchiyama, JPCERT Coordination Center