Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

NVD database resources and distribution #133

Open
oej opened this issue May 17, 2023 · 6 comments
Open

NVD database resources and distribution #133

oej opened this issue May 17, 2023 · 6 comments

Comments

@oej
Copy link

oej commented May 17, 2023

The SBOM Forum (an informal group) has reached out to the NVD team and the results are a bit worrying. We may want to discuss future management of this core database.
@zmanion
Copy link

zmanion commented May 17, 2023

Some general CVE/NVD background.

NVD is effectively downstream of CVE, NVD adds analysis and content to CVE content.

Both NVD and the CVE Program sponsored by the U.S. Government, DHS CISA.

The CVE Program is also supported by sustantial community, volunteer, and membership effort, including CVE Numbering Authorities (CNAs) and other Partners.

@zmanion
Copy link

zmanion commented May 17, 2023

At least three issues that came up in discussion:

  1. U.S. Government funding, desire for a more global, international, organizational and funding structure
  2. While proprietary software very often includes or depends on OSS, CVE and NVD scope covers all software, OpenSSF is scoped to OSS.
  3. While the CVE ecosystem is very widely adopted, other identification systems can catalogs exist, for example, the Global Security Database (GSD), which is part of the Cloud Security Alliance.

@JasonKeirstead
Copy link
Contributor

It would be helpful for this discussion to expand on "results are a bit worrying"- what were the results & why are they worrying?

@david-a-wheeler
Copy link
Contributor

Although formally the NVD is funded by the US government, my understanding is that in practice that funding is small and unreliable.

@oej
Copy link
Author

oej commented May 19, 2023

There are worldwide regulations that are all pointing to vulnerability handling where the CVE and NVD is the base engine. To hear that it is a small department funded by a single country that is a critical part of this toolchain is worrying, from an EU perspective (I'm in Sweden). It feels like the DNS all over again :-)

@zmanion
Copy link

zmanion commented May 27, 2023

I can't comment on NVD funding, but I observe that it continues to operate, and as (at least IMO) a useful U.S. government service, plus something cited in regulations, my bet is it sticks around.

Perhaps more importantly, NVD is effectively downstream of CVE. If I were looking at a global-scale solution, I'd work with the "source" CVE Program. While currently funded by the U.S., CVE

  • has a much more distributed organization
  • is designed to decouple funding from the organizational structure
  • receives substantial effort from volunteer and community members
  • already has international engagement

One idea (that just so happens to align with my personal view on the CVE mission) is to sort out a sufficiently global vulnerability identification service (basically, CVE plus diversified funding and governance, focus on identification and catalog), with regional, national, or other databases downstream. The EU/member states could add what information/value they want or are required to, NVD can do the same. The key is that we'd all use the same IDs.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@oej @david-a-wheeler @JasonKeirstead @zmanion