search

ossf / wg-vulnerability-disclosures

The OpenSSF Vulnerability Disclosures Working Group seeks to help improve the overall security of the open source software ecosystem by helping mature and advocate well-managed vulnerability reporting and communication.
https://openssf.org
Apache License 2.0
175 stars 40 forks source link

NVD database resources and distribution #133

Open oej opened 1 year ago

oej commented 1 year ago

The SBOM Forum (an informal group) has reached out to the NVD team and the results are a bit worrying. We may want to discuss future management of this core database.

zmanion commented 1 year ago

Some general CVE/NVD background.

NVD is effectively downstream of CVE, NVD adds analysis and content to CVE content.

Both NVD and the CVE Program sponsored by the U.S. Government, DHS CISA.

The CVE Program is also supported by sustantial community, volunteer, and membership effort, including CVE Numbering Authorities (CNAs) and other Partners.

zmanion commented 1 year ago

At least three issues that came up in discussion:

  1. U.S. Government funding, desire for a more global, international, organizational and funding structure
  2. While proprietary software very often includes or depends on OSS, CVE and NVD scope covers all software, OpenSSF is scoped to OSS.
  3. While the CVE ecosystem is very widely adopted, other identification systems can catalogs exist, for example, the Global Security Database (GSD), which is part of the Cloud Security Alliance.
JasonKeirstead commented 1 year ago

It would be helpful for this discussion to expand on "results are a bit worrying"- what were the results & why are they worrying?

david-a-wheeler commented 1 year ago

Although formally the NVD is funded by the US government, my understanding is that in practice that funding is small and unreliable.

oej commented 1 year ago

There are worldwide regulations that are all pointing to vulnerability handling where the CVE and NVD is the base engine. To hear that it is a small department funded by a single country that is a critical part of this toolchain is worrying, from an EU perspective (I'm in Sweden). It feels like the DNS all over again :-)

zmanion commented 1 year ago

I can't comment on NVD funding, but I observe that it continues to operate, and as (at least IMO) a useful U.S. government service, plus something cited in regulations, my bet is it sticks around.

Perhaps more importantly, NVD is effectively downstream of CVE. If I were looking at a global-scale solution, I'd work with the "source" CVE Program. While currently funded by the U.S., CVE

One idea (that just so happens to align with my personal view on the CVE mission) is to sort out a sufficiently global vulnerability identification service (basically, CVE plus diversified funding and governance, focus on identification and catalog), with regional, national, or other databases downstream. The EU/member states could add what information/value they want or are required to, NVD can do the same. The key is that we'd all use the same IDs.