CISA starts CVE “vulnrichment” program

2024-05-09 10:10

The US Cybersecurity and Infrastructure Agency has announced the creation of "Vulnrichment," a new project that aims to fill the CVE enrichment gap created by NIST National Vulnerability Database's recent slowdown.

Since 1999, NVD analysts have been adding CVE-numbered vulnerabilities to the database, after analyzing public data about them to "Enrich" each entry with impact metrics, vulnerability types, applicability statements, links to security advisories, and more.

Its main professed solution for the problem is to establish a consortium of industry, government, and other stakeholder organizations that will collaborate on research to improve the NVD. How will CISA's Vulnrichment work?

"The CISA Vulnrichment project is the public repository of CISA's enrichment of public CVE records through CISA's ADP container. In this phase of the project, CISA is assessing new and recent CVEs and adding key SSVC decision points," the agency explains on the project's GitHub repo.

"For those CVEs that are rated as 'Total Technical Impact,' 'Automatable,' or have 'Exploitation' values of 'Proof of Concept' or 'Active Exploitation,' further analysis will be conducted. CISA will determine if there is enough information to assert a specific CWE identifier, a CVSS score, or a CPE string," the agency noted, and confirmed that it won't be overwriting the originating CNA's data in vulnerabilities' original CVE record.

For Vulnrichment, CISA is sticking with the CVE JSON format, "So stakeholders can immediately start incorporating these updates into vulnerability management processes."

News URL

https://www.helpnetsecurity.com/2024/05/09/cisa-vulnrichment-cve-enrichment/

#cisa #CVE