Feeling vulnerable? Talk about it

National Vulnerability Database

Related Links

Red Hat and the National Institute of Standards and Technology are working together to create a new commenting system for NIST's National Vulnerability Database (NVD).

The system will give vendors a forum to publicly contribute information about common vulnerabilities or those that may affect software or applications beyond the scope of their targets.

“We've been brainstorming this for a couple of years trying to figure out how to do it,” said Mark Cox, manager of Red Hat’s security response team. Cox is one of the founders of the commenting system.

Red Hat has been using the system as a test program for the past few weeks, submitting more than 100 comments. Only one other company, Linux developer Mandriva, has added a comment about its software.

No other system like NVD exists in the vendor community, Cox said. Although there are many major vulnerability databases, minor software-centric vulnerabilities often fly under the radar, he said. Most times, users must call companies to find out if certain vulnerabilities affected multiple programs.

“I saw use of it where multiple vendors ship the same software,” Cox said. “If it's an Apache vulnerability, then how does that affect Red Hat?”

Peter Mell, program manager for NVD, said NIST’s primary concern is to provide vendors and security companies a chance to comment.

There was “no way for the security industry to put their two cents in with respect to what these vulnerabilities mean,” Mell said.


  • Workforce
    Avril Haines testifies SSCI Jan. 19, 2021

    Haines looks to restore IC workforce morale

    If confirmed, Avril Haines says that one of her top priorities as the Director of National Intelligence will be "institutional" issues, like renewing public trust in the intelligence community and improving workforce morale.

  • Defense
    laptop cloud concept (Andrey Suslov/Shutterstock.com)

    Telework, BYOD and DEOS

    Telework made the idea of bringing your own device a top priority as the Defense Information Systems Agency begins transitioning to a permanent version of the commercial virtual remote environment.

Stay Connected