NIST launches Web site for input on software vulnerabilities

The National Institute of Standards and Technology today launched a service within its National Vulnerability Database that will allow vendors to discuss the impact of vulnerabilities on their products.

"The service is designed to be a public forum for vendors to comment on the vulnerabilities, and to have those comments embedded in databases and discussions," said NVD program manager Peter Mell.

The National Vulnerability Database is an outgrowth of the Common Vulnerabilities and Exposures dictionary, developed and maintained by Mitre Corp., which establishes a standard naming scheme for software vulnerabilities. NIST established NVD as a central source for information on vulnerabilities, using the CVE. The database, at http://nvd.nist.gov, receives 25 million hits a year and an Extensible Markup Language feed updates the information for subscribers every two hours.

The database contains information from researchers about vulnerabilities they have found, but typically not from vendors who develop and sell the software products that might be affected.

"There hasn't been a public forum for software vendors where they can say, here's some more information," Mell said.

The impetus for the program came from Mark J. Cox, security response director for Red Hat Inc. of Raleigh, N.C., which sells open-source software including Red Hat Linux and SELinux.

"We've been putting a lot of security into Red Hat and SELinux, and often the reported vulnerabilities to not appear in our software," Cox said. But there had been no good way to disseminate that information except through its own announcements.

"He came to me and said, 'We need this kind of service; can you provide it?' " Mell said. And it turned out NIST could. "It technically was very easy."

NIST provides a Web portal for vendors with accounts that lets them post official statements about vulnerabilities. These can include information on what versions and products are affected or not affected, guidance on configuration and remediation, analysis, explanations and disputes. The statements appear on the same page as the vulnerability being described.

NIST verifies designated vendor officials who receive the accounts on the service and authenticates users accessing the service to make posts.

The service went through an eight-week pilot with Red Hat as the first company posting comments. Since then, Mandriva of San Diego, another Linux developer, also has set up an account and begun posting comments. The service now is live.

"It's my hope that the industry at large will want to participate," Mell said.

Cox said Red Hat will evangelize the service, which he expects will be particularly helpful to the open-source community.

"This is really useful for software that is shipped by multiple vendors," he said. "But the service is going to be open for everyone."

William Jackson is a staff writer for Washington Technology's sister publication, Government Computer News.