Vulnerability Reporting and Data eXchange SIG (VRDX-SIG)

Mission

VRDX-SIG is primarily chartered to research and recommend ways to identify and exchange vulnerability information across disparate vulnerability databases.

Vulnerability databases have different scopes, areas of coverage, identification systems, data schemes, feeds, and supporting languages. These differences lead to difficulty tracking and responding to vulnerability reports. By studying existing practices, the SIG seeks to develop recommendations on how to better identify, track, and exchange vulnerability information across disparate vulnerability databases.

Goals

During the first phase (2013 - 2015), the SIG surveyed vulnerability databases and ID systems, started development of a vulnerability database catalog, and presented on the major issues surrounding vulnerability ID systems, namely abstraction, duplication, and coverage. For the second phase, starting in 2015, the SIG will work towards the following goals.

Planned Meetings

This talk presented results of the VRDX-SIG's work, including a survey and catalog of vulnerability databases, a comparison of identification systems, and recommendations on how to globally identify vulnerabilities.

Future of Global Vulnerability Reporting Summit focuses on Current challenges & issues (coverage, scale, numbering and etc.) and proposed solutions of vulnerability tracking, especially "Global Vulnerability Identification Scheme". Currently one of the most well known vulnerability identification schemes is Common Vulnerabilities and Exposures (CVE). CVE is used by many organizations throughout the world for cross-referencing vulnerabilities across various databases. However, the current process governing CVE has its limitations and has not been able to keep up with the ever increasing number of vulnerabilities being discovered and made public each year. At first, we would like to discuss the limitations of the current process, and how organizations currently use CVE to link their databases across the globe to for crossreferencing vulnerabilities. Second, we would like to discuss the next steps for challenge of "Global Vulnerability Identification Scheme" on the final day.