Vulnerability Reporting and Data eXchange SIG (VRDX-SIG)

Mission

VRDX-SIG is primarily chartered to research and recommend ways to identify and exchange vulnerability information across disparate vulnerability databases.

Vulnerability databases have different scopes, areas of coverage, identification systems, data schemes, feeds, and supporting languages. These differences lead to difficulty tracking and responding to vulnerability reports. By studying existing practices, the SIG seeks to develop recommendations on how to better identify, track, and exchange vulnerability information across disparate vulnerability databases.

Goals

During the first phase (2013 - 2015), the SIG surveyed vulnerability databases and ID systems, started development of a vulnerability database catalog, and presented on the major issues surrounding vulnerability ID systems, namely abstraction, duplication, and coverage. For the second phase, starting in 2015, the SIG will work towards the following goals.

• Vulnerability ID Cross Reference System
  Develop vulnerability ID cross reference system. Test with two or more vulnerability databases. Publish documentation and test results. Consider integration with Vulnerability Data Model.
• Vulnerability Data Model
  Consider including cross reference system in a more comprehensive vulnerability data model, developing such a model within the SIG, contributing to such a model outside of the SIG, and develop requirements for a minimum model to support the cross reference system.
• Vulnerability Database Catalog
  Develop and publish a catalog of vulnerability databases. Maintain at best effort, consider open or crowd-sourced maintenance options.
• Vulnerability Disclosure Policy Catalog
  Develop and publish a catalog of vulnerability disclosure and handling policies and frameworks. Maintain at best effort, consider open or crowd-sourced maintenance options.

Chair

• Art Manion, CERT Coordination Center

Secretariat

• Masato Terada, Hitachi Incident Response Team
• Taki Uchiyama, JPCERT Coordination Center

Planned Meetings

• 2nd Global Vulnerability Reporting Summit
  Osaka 2018 FIRST Technical Colloquium
  Osaka, (JP) March 14-16, 2018

  2nd Global Vulnerability Reporting Summit will consist of working sessions on a number of vulnerability information systems topics. The primary goal of the summit is to develop a global vision to improve multiple aspects of the vulnerability response lifecycle.

• VRDX-SIG: Global Vulnerability Identification
  27th Annual FIRST Conference
  Berlin, (DE) June 18, 2015

  This talk presented results of the VRDX-SIG's work, including a survey and catalog of vulnerability databases, a comparison of identification systems, and recommendations on how to globally identify vulnerabilities.

• Future of Global Vulnerability Reporting Summit
  Kyoto 2012 FIRST Technical Colloquium
  Kyoto, (JP) November 13-15, 2012

  Future of Global Vulnerability Reporting Summit focuses on Current challenges & issues (coverage, scale, numbering and etc.) and proposed solutions of vulnerability tracking, especially "Global Vulnerability Identification Scheme". Currently one of the most well known vulnerability identification schemes is Common Vulnerabilities and Exposures (CVE). CVE is used by many organizations throughout the world for cross-referencing vulnerabilities across various databases. However, the current process governing CVE has its limitations and has not been able to keep up with the ever increasing number of vulnerabilities being discovered and made public each year. At first, we would like to discuss the limitations of the current process, and how organizations currently use CVE to link their databases across the globe to for crossreferencing vulnerabilities. Second, we would like to discuss the next steps for challenge of "Global Vulnerability Identification Scheme" on the final day.

• Global Vulnerability Reporting & Identification
  8th Annual IT Security Automation Conference
  Baltimore, (US) October 3rd to 5th, 2012

• Future of Global Vulnerability Reporting
  7th Annual IT Security Automation Conference
  Arlington, (US) October 31st to November 2nd, 2011

  Request to Join

• Initiatives
  • Special Interest Groups (SIGs)
    • SIGs Framework
    • Academic Security SIG
    • AI Security SIG
    • Automation SIG
    • Big Data SIG
    • Common Vulnerability Scoring System (CVSS-SIG)
      • Calculator
      • Specification Document
      • User Guide
      • Examples
      • Frequently Asked Questions
      • CVSS v4.0 Documentation & Resources
        • CVSS v4.0 Calculator
        • CVSS v4.0 Specification Document
        • CVSS v4.0 User Guide
        • CVSS v4.0 Examples
        • CVSS v4.0 FAQ
      • CVSS v3.1 Archive
        • CVSS v3.1 Calculator
        • CVSS v3.1 Specification Document
        • CVSS v3.1 User Guide
        • CVSS v3.1 Examples
        • CVSS v3.1 Calculator Use & Design
      • CVSS v3.0 Archive
        • CVSS v3.0 Calculator
        • CVSS v3.0 Specification Document
        • CVSS v3.0 User Guide
        • CVSS v3.0 Examples
        • CVSS v3.0 Calculator Use & Design
      • CVSS v2 Archive
        • CVSS v2 Complete Documentation
        • CVSS v2 History
        • CVSS-SIG team
        • SIG Meetings
        • Frequently Asked Questions
        • CVSS Adopters
        • CVSS Links
      • CVSS v1 Archive
        • Introduction to CVSS
        • Frequently Asked Questions
        • Complete CVSS v1 Guide
      • JSON & XML Data Representations
      • CVSS On-Line Training Course
      • Identity & logo usage
    • CSIRT Framework Development SIG
    • Cyber Insurance SIG
      • Cyber Insurance SIG Webinars
    • Cyber Threat Intelligence SIG
      • Curriculum
        • Introduction
        • Introduction to CTI as a General topic
        • Methods and Methodology
        • Priority Intelligence Requirement (PIR)
        • Source Evaluation and Information Reliability
        • Machine and Human Analysis Techniques (and Intelligence Cycle)
        • Threat Modelling
        • Training
        • Standards
        • Glossary
        • Communicating Uncertainties in CTI Reporting
      • Webinars and Online Training
      • Building a CTI program and team
        • Program maturity stages
          • CTI Maturity model - Stage 1
          • CTI Maturity model - Stage 2
          • CTI Maturity model - Stage 3
        • Program Starter Kit
        • Resources and supporting materials
    • Digital Safety SIG
    • DNS Abuse SIG
      • Code of Conduct & Other Policies
      • Examples of DNS Abuse
    • Ethics SIG
      • Ethics for Incident Response Teams
    • Exploit Prediction Scoring System (EPSS)
      • The EPSS Model
      • Data and Statistics
      • User Guide
      • EPSS Research and Presentations
      • Frequently Asked Questions
      • Who is using EPSS?
      • Open-source EPSS Tools
      • API
      • Related Exploit Research
      • Blog
        • Understanding EPSS Probabilities and Percentiles
        • Log4Shell Use Case
        • Estimating CVSS v3 Scores for 100,000 Older Vulnerabilities
      • Data Partners
    • FIRST Multi-Stakeholder Ransomware SIG
    • Human Factors in Security SIG
    • Industrial Control Systems SIG (ICS-SIG)
    • Information Exchange Policy SIG (IEP-SIG)
    • Information Sharing SIG
      • Malware Information Sharing Platform
    • Law Enforcement SIG
    • Malware Analysis SIG
      • Malware Analysis Framework
      • Malware Analysis Tools
    • Metrics SIG
      • Metrics SIG Webinars
    • NETSEC SIG
    • Passive DNS Exchange
    • PSIRT SIG
    • Red Team SIG
    • Retail and Consumer Packaged Goods (CPG) SIG
    • Security Lounge SIG
    • Threat Intel Coalition SIG
      • Membership Requirements and Veto Rules
    • Traffic Light Protocol (TLP-SIG)
    • Transportation and Mobility SIG
    • Vulnerability Coordination
      • Multi-Party Vulnerability Coordination and Disclosure
      • Guidelines and Practices for Multi-Party Vulnerability Coordination and Disclosure
    • Vulnerability Reporting and Data eXchange SIG (VRDX-SIG)
      • Vulnerability Database Catalog
    • Women of FIRST
  • Internet Governance
  • IR Database
  • Fellowship Program
    • Application Form
  • Mentorship Program
  • IR Hall of Fame
    • Hall of Fame Inductees
  • Victim Notification
  • Volunteers at FIRST
    • FIRST Volunteers
    • Volunteer Contribution Record
  • Previous Activities
    • Best Practices Contest