CVMAP for CVE Numbering Authorities (CNAs) and Authorized Data Publishers: NISTIR 8246

 

Intended
audience:  CNAs (CVE Numbering Authorities), Authorized Data Publishers]

NIST
announces the publication of NISTIR
8246
Collaborative
Vulnerability Metadata Acceptance Process (CVMAP) for CVE Numbering Authorities
(CNAs) and Authorized Data Publishers
.

The
number of Common Vulnerabilities and Exposures identifiers (CVE IDs) created
year over year has rapidly increased, and this trend is expected to continue
indefinitely. Currently, a National
Vulnerability Database (NVD)
 analyst manually reviews each CVE
and attaches multiple forms of CVE metadata used by downstream consumers to
prioritize and assist automated vulnerability scanning tools. This is a
manually intensive process, and in many cases, this metadata is provided by the
source, or CNA (CVE Numbering Authority), of the CVE with no policies or
procedures in place to validate and accept the information.

This
NISTIR leverages the technical knowledge provided by the CNAs and the
application of consistent CVE metadata provided by NVD analysts through the
formalization of a CVE entry metadata submission process. This allows for more
efficient integration of the CNAs’ efforts into the NVD analyst workflow, which
directly benefits downstream users and improves the security of our national IT
infrastructure.

Publication
details:
https://csrc.nist.gov/publications/detail/nistir/8246/final

National
Vulnerability Database (NVD):
https://nvd.nist.gov/