Summary: We propose building a global platform for vulnerability reporting and alerting, based on manufacturer control of submitted data, third party data providers for additional data, supported by funding and steering from multiple sources representing global stakeholders. The current platform is mainly funded by a single state and has a tradition of a third party adding essential data like component names, without any influence by the product owner. As legislations are coming into place for cybersecurity in products, it is essential that there is a global view and coordination of this essential system – for users and manufacturers both. Users of products needs to be able to answer the question: “Is the product safe to use?”
This document starts with the current situation, analyses various problems with it and then moves on to propose a way forward, building a global multi-stakeholder platform.
The current situation and background
There are many vulnerability platforms, but the core one is the CVE program’s database. This is a short introduction to the CVE and NVD. See references below for pointers to more information.
Let’s focus on a few actors and concepts:
- CVE ID: Common Vulnerability and Exposures ID – a unique identifier for a vulnerability
- CVE Format: A standard format for machine-parseable vulnerability reports
- CVE Numbering Authorities (CNA): Organisations, ranging from commercial manufacturers, authorities to open source projects, that create entries in the CVE database.
- CVE Program: An organisation funded by US Dept homeland security that manage the database and organise working groups to coordinate, develop best current practises and rules and formats for CVEs and CNAs. Operated by MITRE. Launched as the CVE List in 1999
- ADP, Additional data providers: Organisations that enrich CVEs by providing additional data.
A CNA that discovers or gets a report about a vulnerability, requests a unique CVE ID. When ready to publish, the CVE is publicly disclosed using the CVE format. After publication, other providers can publish additional data, currently only CISA.
The combined data stream has been used as input for the National Vulnerability Database, NVD. The NVD used to enrich CVE data with an identifier (CPE) for the software and manufacturer, the CVSS severity score and CWE categorisation of the vulnerability.
Users of these databases
These databases are used by software platforms that wants to check for vulnerabilities and exploits based on a Software Bill of Materials (SBOM) or by other means.
There are other databases, both commercial and freely available, that all use the same identifier system – CVE. Others use their own identifiers but commonly refers to the CVE identifier as an alias.