Chris-Turner-NIST
commented
9 months ago @Crashedmind The current valid value lists are not considered exhaustive. The intent at this stage was to get generalized coverage and make adjustments during practical application of the Vulntology model. We do want to keep a balance between an initial scatter-shot approach with a large volume of seemingly different terminology so we could reduce or avoid the need to untangle many concepts that end up being too conceptually similar (a problem that already exists today when using free text explanations in advisories) or end up needing to be redefined within an alternative object (Ex: Priv escalation being considered an impact instead of an impact method).
If you wish to propose modifications to any valid values list or even request that certain valid values be added feel free to. We do request that for each you include justification for why it is distinct from existing values in addition to why it belongs within the intended object.
david-waltermire
Crashedmind
Question
Overall this project looks interesting and promising! Thanks!
@Chris-Turner-NIST , @david-waltermire-nist (I'm interested in the current logical impacts:
Why were these ones chosen (versus other ones)? I'm trying to understand the rationale or process behind the selection. No references are given.
I ask because I did an analysis on CVEs (all, and CISA KEV subset) to determine the Impact "phrases". The analysis included Topic Modeling to find key phrases used, and to rank them by occurrence, and deduplicate them by similarity. So I have a draft Taxonomy of Logical Technical Impacts.
I put this here as an issue (rather than a chat comment) - as I may submit a Pull Request or contribute to this list in general... if there's interest.