-
Notifications
You must be signed in to change notification settings - Fork 40
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
NVD database resources and distribution #133
Comments
Some general CVE/NVD background. NVD is effectively downstream of CVE, NVD adds analysis and content to CVE content. Both NVD and the CVE Program sponsored by the U.S. Government, DHS CISA. The CVE Program is also supported by sustantial community, volunteer, and membership effort, including CVE Numbering Authorities (CNAs) and other Partners. |
At least three issues that came up in discussion:
|
It would be helpful for this discussion to expand on "results are a bit worrying"- what were the results & why are they worrying? |
Although formally the NVD is funded by the US government, my understanding is that in practice that funding is small and unreliable. |
There are worldwide regulations that are all pointing to vulnerability handling where the CVE and NVD is the base engine. To hear that it is a small department funded by a single country that is a critical part of this toolchain is worrying, from an EU perspective (I'm in Sweden). It feels like the DNS all over again :-) |
I can't comment on NVD funding, but I observe that it continues to operate, and as (at least IMO) a useful U.S. government service, plus something cited in regulations, my bet is it sticks around. Perhaps more importantly, NVD is effectively downstream of CVE. If I were looking at a global-scale solution, I'd work with the "source" CVE Program. While currently funded by the U.S., CVE
One idea (that just so happens to align with my personal view on the CVE mission) is to sort out a sufficiently global vulnerability identification service (basically, CVE plus diversified funding and governance, focus on identification and catalog), with regional, national, or other databases downstream. The EU/member states could add what information/value they want or are required to, NVD can do the same. The key is that we'd all use the same IDs. |
The SBOM Forum (an informal group) has reached out to the NVD team and the results are a bit worrying. We may want to discuss future management of this core database.
The text was updated successfully, but these errors were encountered: