This workbook analyzes data from the National Vulnerability Database (NVD), which is the U.S. government repository of standards based vulnerability management data represented using the Security Content Automation Protocol (SCAP). The NVD includes databases of security checklist references, security-related software flaws, misconfigurations, product names, and impact metrics.
The dataset has been converted from JSON to CSV format to allow for easier analysis in R. The original JSON or XML formats are available here.
This work is part of an ongoing project with the Center for Democracy and Technology, which explores the concept of 'digital defects'.
In the NVD database, the Common Vulnerability Scoring System (CVSS) is used to score the impact and severity of each vulnerability. By exploring the NVD and examining the distribution of severity and impact of the known vulnerabilities we are able to better inform efforts to apply the legal concept of 'defects' to these technologies. While it may be true that it is 'difficult to write bug free code' or that 'not all bugs can be known ahead of time', that does not mean that there are known critical vulnerabilities that should be fixed before these technologies are shipped. Identifying the frequency of these vulnerabiltiies appearing in software helps us determine a severity threshold at which a vulnerability might render a product 'defective'.
- md notebook w/ images
- pdf output
- html output w/out images