By William Jackson
The National Institute of Standards and Technology today launched a
service within its National Vulnerability Database that will allow
vendors to discuss the impact of vulnerabilities on their products.
"The service is designed to be a public forum for vendors to comment on
the vulnerabilities, and to have those comments embedded in databases
and discussions," said NVD program manager Peter Mell.
The National Vulnerability Database is an outgrowth of the Common
Vulnerabilities and Exposures dictionary, developed and maintained by
Mitre Corp., which establishes a standard naming scheme for software
vulnerabilities. NIST established NVD as a central source for
information on vulnerabilities, using the CVE. The database, at
http://nvd.nist.gov, receives 25 million hits a year and an Extensible
Markup Language feed updates the information for subscribers every two
The database contains information from researchers about vulnerabilities
they have found, but typically not from vendors who develop and sell the
software products that might be affected.
"There hasn't been a public forum for software vendors where they can
say, here's some more information," Mell said.
The impetus for the program came from Mark J. Cox, security response
director for Red Hat Inc. of Raleigh, N.C., which sells open-source
software including Red Hat Linux and SELinux.
"We've been putting a lot of security into Red Hat and SELinux, and
often the reported vulnerabilities to not appear in our software," Cox
said. But there had been no good way to disseminate that information
except through its own announcements.
"He came to me and said, 'We need this kind of service; can you provide
it?'" Mell said. And it turned out NIST could. "It technically was very
NIST provides a Web portal for vendors with accounts that lets them post
official statements about vulnerabilities. These can include information
on what versions and products are affected or not affected, guidance on
configuration and remediation, analysis, explanations and disputes. The
statements appear on the same page as the vulnerability being described.
NIST verifies designated vendor officials who receive the accounts on
the service and authenticates users accessing the service to make posts.
The service went through an eight-week pilot with Red Hat as the first
company posting comments. Since then, Mandriva of San Diego, another
Linux developer, also has set up an account and begun posting comments.
The service now is live.
"It's my hope that the industry at large will want to participate,"
Cox said Red Hat will evangelize the service, which he expects will be
particularly helpful to the open-source community.
"This is really useful for software that is shipped by multiple
vendors," he said. "But the service is going to be open for everyone."
HITBSecConf2006 - Malaysia
The largest network security event in Asia
32 internationally renowned speakers
7 tracks of hands-on technical training sessions.
Register now: http://conference.hitb.org/hitbsecconf2006kl/