Software Engineering Institute

Like most ontological exercises, defining what exactly constitutes a software vulnerability turns out to be at least somewhat subjective. Vulnerability databases use different definitions, scopes, identification systems, and data formats. There are some well-known, comprehensive(-ish) databases like Common Vulnerabilities and Exposures (CVE) and the Open Sourced Vulnerability Database (OSVDB), and more narrowly scoped databases like Japan Vulnerability Notes (JVN) and vendor security advisories. Differences in scope and how vulnerabilities are defined and identified lead to difficulty counting, tracking, and responding.

The FIRST Vulnerability Reporting and Data eXchange Special Interest Group (VRDX-SIG) was chartered to study existing practices and develop recommendations on how to better identify, track, and exchange vulnerability information across disparate vulnerability databases.

What are the key similarities and differences across databases?

Should there be a global vulnerability identification system, and what would it look like?

This talk presents results of the VRDX-SIG's work, including a survey and catalog of vulnerability databases, a comparison of identification systems, and recommendations on how to globally identify vulnerabilities.