NIST Vulnerability Data Ontology

The Vulntology is a project created to characterize vulnerabilities and provide a granular and intuitive structure for that information. This repository is a location to support community development of the NIST Vulnerability Data Ontology, or Vulntology.

Project Scope

The Vulntology is intended to provide characterization details about how a vulnerability can be exploited, what the impact of that exploit will be, and what mitigating factors can make exploitation difficult. These details are provided in the context of a given attack scenario, which may differ in characteristics from other scenarios for the same vulnerability.

The Vulntology is not intended to be a general purpose format for describing vulnerability information. Instead, the Vulntology is intended to be a drop-in replacement for a vulnerability description. The Vulntology project will avoid duplicating work in other formats to the greatest extent possible. Due to the relational approach used, the Vulntology may provide some overlapping details as a means to define a given scenario, such as affected product information.

Goals

• To standardize the description of vulnerabilities through structured characterization formatting.
• To enable automated scoring agnostic of any particular system.
• To improve the level of detail in provided information for the purpose of assisting with defense while minimizing increased risk from attacks.
• To allow for easier vulnerability information sharing across language barriers

How to Help

We are currently looking for assistance from organizations and people within the vulnerability management community. For those interested please refer to the Contributing page.