The National Institute of Standards and Technologies (NIST) launched its National Vulnerability Database (NVD), a free archive that provides links to vendor and third-party resources addressing technology bugs, about a year ago. However, the database, which is frequently surfed by IT security pros, lacked a component that allowed more detailed vendor input on holes.
With a recent change, vendors now can use the database to more thoroughly address the noted flaws through the NVD Vendor Official Statement Service. It provides an open forum for vendors, in addition to response teams and advisory services, to comment on Common Vulnerabilities and Exposures (CVE).
Peter Mell, a senior computer scientist at NIST, says the newly established archive provides one-stop shopping for those seeking vulnerability information, while the added comment section allows vendors to dispute or support reported vulnerabilities.
"You might want to dispute third-party vulnerability information, fully explain the impact of certain vulnerabilities, clarify the applicability of a patch or provide configuration and remediation guidance in the absence of a patch," Mell says.
NIST launched the service at the urging of open-source software leader Red Hat, he says.
"This is the only [vulnerability database] that lets vendors go in and make statements about those vulnerabilities," says Mark Cox, director of security response at Red Hat.
Since it started publicly posting, Red Hat has received fewer customer troubleshooting calls. The service has clear benefits for the open-source community, Mell says.
For example, if a vulnerability is reported in Linux operating system's Apache web server, which is shipped out by many vendors, those companies can make more accurate statements related to their respective versions. The Red Hat, IBM and Novell versions may not all contain the flaw.
Mell hopes the service will catch on — so far, Red Hat is the only software maker to take advantage — and some day be provided as an XML feed that other vulnerability database managers can incorporate into their services.
— Dan Kaplan