National Vulnerability Database

I learned today the National Vulnerability Database (NVD) has replaced the old NIST ICAT system. The NVD describes itself this way:

"NVD is a comprehensive cyber security vulnerability database that integrates all publicly available U.S. Government vulnerability resources and provides references to industry resources. It is based on and synchronized with the CVE vulnerability naming standard."

There's a link to a workload index, whose URL includes the term "threatindex" (groan). On that page we read:

"Workload Index Information

This index calculates the number of important vulnerabilities that information technology security operations staff are required to address each day. The higher the number, the greater the workload and the greater the general threat represented by the vulnerabilities."

I think the last sentence should instead read:

"The higher the number, the greater the workload and the greater the general risk represented by the vulnerabilities."


I am not sure what the Open Source Vulnerability Database (OSVDB) thinks of the NVD. There is a blog posting about NVD, but no commentary by OSVDB members. I think the OSVDB needs to remain as a place that is independent of US government control. If a truly severe vulnerability is found, who is more likely to publish it first -- nvd.nist.gov or www.osvdb.org?

On a note related to vulnerabilities, here is a list of vulnerability or attack description projects.

• Nessus Attack Scripting Language and the Syngress Nessus Network Auditing book


• Application Vulnerability Description Language (AVDL); also here


• Enterprise Vulnerability Description Language (EVDL)


• Intrusion Detection [Message] Exchange Format (idwg) and drafts


• Common Vulnerability Scoring System (CVSS), discussed here, here, here, and here; also there is an Interactive Common Vulnerability Scoring System


• Open Vulnerability and Assessment Language


• IETF Extended Incident Handling Working Group (INCH), which was preceded by the Incident Object Description and Exchange Format Working Group


• Fingerprint Sharing Alliance


• High Level Firewall Language

These are papers on related subjects:

• Classification and Detection of Computer Intrusions


• STATL: An Attack Language for State-based Intrusion Detection


• aDeLe Attack Description Language


• Correlated Attack Modeling Language (CAML)


• A Language Driven Intrusion Detection System for Events and Alerts Correlation