-
Type: Task
-
Status: New
-
Priority: Critical
-
Resolution: Unresolved
-
Affects Version/s: None
-
Fix Version/s: None
-
Component/s: None
-
Labels:
-
Environment:
[New]
This issue (task) is one of many similar formal issues formalizing the TCs process to analyse similar work.
It deals with the analysis of the "Vulnerability Description Ontology (VDO): a Framework for Characterizing Vulnerabilities" (cf. http://csrc.nist.gov/publications/drafts/nistir-8138/nistir_8138_draft.pdf ),
which to the reporter appears as either similar work w.r.t. the "OASIS Common Security Advisory Framework (CSAF) Technical Committee Charter" (cf. http://www.oasis-open.org/committees/csaf/charter.php ) or work to be considered for enabling synergy and instead minimising duplication.
This issue allows us to track and document progress and findings of the CSAF TC of the following:
1. understand and summarise VDO (relation to eg. CVSS)
2. ensure synergy potentials are identified
3. discussion of the relation to and reaction on VDO
4. documentation of result
When checked at 2016-12-13 the (PDF format) document referenced existed at the URL http://csrc.nist.gov/publications/drafts/nistir-8138/nistir_8138_draft.pdf and some bibliographic data identified was:
URL = http://csrc.nist.gov/publications/drafts/nistir-8138/nistir_8138_draft.pdf
Authors/Editors = Harold Booth and Christopher Turner
AuthorInstitution = National Institute of Standards and Technology (NIST, http://csrc.nist.gov/publications/PubsDrafts.html#NIST-IR-8138 )
DocumentDate = 2016-09-30
CommentPeriodEnded = 2016-10-31
Keywords = software defects; ontology; patching; taxonomy; vulnerabilities; vulnerability management
DocumentStatus = draft
DocumentCopyrightPolicy = "NIST"
Abstract (from publication overview at http://csrc.nist.gov/publications/PubsDrafts.html#NIST-IR-8138 ) ==
"""
NISTIR 8138
DRAFT Vulnerability Description Ontology (VDO): a Framework for Characterizing Vulnerabilities
NISTIR 8138 aims to describe a more effective and efficient methodology for characterizing vulnerabilities found in various forms of software and hardware implementations including but not limited to information technology systems, industrial control systems or medical devices to assist in the vulnerability management process. The primary goal of the described methodology is to enable automated analysis using metrics such as the Common Vulnerability Scoring System (CVSS). Additional goals include establishing a baseline of the minimum information needed to properly inform the vulnerability management process, and facilitating the sharing of vulnerability information across language barriers.
This is the first draft of several anticipated drafts of a document intended to describe a methodology for characterizing vulnerabilities. It is not intended to be complete at this time and the authors do not expect that this draft reflects the full breadth and depth of the information needed to fully automate the descriptions for vulnerabilities. Reviewers are asked to provide feedback on terminology that is unclear, in conflict with established practice and are encouraged to provide feedback and examples where the current draft falls short in enabling the description of a vulnerability. Future drafts will be produced attempting to incorporate feedback consistent with the purpose of the document and the goal of improving the final version.
The public comment period closed on October 31, 2016
Questions? Send email to : nistir8138@nist.gov
Draft NISTIR 8138: http://csrc.nist.gov/publications/drafts/nistir-8138/nistir_8138_draft.pdf
Comment Template: http://csrc.nist.gov/publications/drafts/nistir-8138/draft_nistir_8138_comment_form.doc
"""