Plan to resuscitate beleaguered vulnerability database draws criticism
The federal official in charge of a crucial vulnerability database that has recently gone mostly dark said Wednesday that she hoped the formation of a consortium would improve the repository, a move that some experts immediately criticized as too slow to address an urgent problem.
In mid-February, the National Institute of Standards and Technology stopped providing key metadata for many vulnerabilities in its National Vulnerability Database, which cybersecurity professionals describe as a critical tool for computer security functions globally and whose absence could result in dangerous vulnerabilities going unfixed.
Tanya Brewer, who manages the National Vulnerability Database program, said at a conference on Wednesday that a notice forthcoming in the Federal Register in the next two weeks will announce the process for forming an outside consortium to help improve the database.
Compared to other resources of its kind, “NVD is not the best database,” Brewer said. If it was, “I would not be putting together a consortium asking industry to help make it better,” she said at VulnCon in Raleigh, N.C. “There’s a lot of room for the NVD to improve, and I think we have the capability to be a much better database than we are.”
/cloudfront-us-east-2.images.arcpublishing.com/reuters/DFJYDZQLEJJF3F66K4NZMK4CCQ.jpg)
