The vulnerability system core is shaking and we need to work on both a short term solution and a long term solution. This document focuses on the long term solution – a global federated system for vulnerability management.
These thoughts started rolling around in my head when the EU legislation became clear. I heard then (two years ago) that the NVD was about 25 people and had a lack of funding. This worried me. Then it became worse. With the recent cuts by the US administration it became even more clear that there needs to be a global funding to the vulnerability tracking system.
I would like multiple organisations to be part of this effort. Hopefully across the world. Maybe a short-lived task force should be formed where multiple parties can join the discussion and move forward. My personal feeling is that this will take years to complete and any change needs to happen gradually.
Let’s not focus on the technical aspect first
In many discussions (yes, I’ve had a lot) we quickly go from organisational issues to technical details – PURL or CPE, JSON or XML, synchronisation, federation… We love those discussions and we’re good at them.
Those issues can and will be solved. The first focus has to be organisational – how do we take the first steps, which parties need to be involved, which global organisations and states/unions need to be part of the solution, at start and in the long run? Issues we don’t solve by writing technical specs or code.
Global involvement is essential
We just have to give it time, hash out issues and slowly move forward. Many persons, organisations, vendors, academia and authorities need to be able to raise their voice, take co-ownership and help the process move forward. Patience will be a needed virtue.
This process needs to be funded to enable maintainers to focus, document and support the process moving forward. How do we organise that in the best way?
In parallel we can create test labs to develop platforms, APIs and solutions for the technical platform and move forward in gradual, well-defined steps. Steps that we know how to handle, have experience of and love doing. Which is why we need to start that process after the first one – building the organisational home for a global multi-stakeholder platform.
/Olle E. Johansson
oej@edvina.net