U.S. flag   An unofficial archive of your favorite United States government website
Dot gov

Official websites do not use .rip
We are an unofficial archive, replace .rip by .gov in the URL to access the official website. Access our document index here.

Https

We are building a provable archive!
A lock (Dot gov) or https:// don't prove our archive is authentic, only that you securely accessed it. Note that we are working to fix that :)

NIST IR 8138 (Initial Public Draft)

Vulnerability Description Ontology (VDO): a Framework for Characterizing Vulnerabilities

Date Published: September 2016
Comments Due: October 31, 2016 (public comment period is CLOSED)
Email Questions to: nistir8138@nist.gov

Planning Note (03/10/2022): For current information on NIST’s Vulntology Project, see https://github.com/usnistgov/vulntology.

Author(s)

Harold Booth (NIST), Christopher Turner (BAH)

Announcement

NISTIR 8138 aims to describe a more effective and efficient methodology for characterizing vulnerabilities found in various forms of software and hardware implementations including but not limited to information technology systems, industrial control systems or medical devices to assist in the vulnerability management process. The primary goal of the described methodology is to enable automated analysis using metrics such as the Common Vulnerability Scoring System (CVSS). Additional goals include establishing a baseline of the minimum information needed to properly inform the vulnerability management process, and facilitating the sharing of vulnerability information across language barriers.

This is the first of several anticipated drafts of the Vulnerability Description Ontology (VDO), which describes a methodology for characterizing vulnerabilities. The VDO is not intended to be complete at this time and the authors do not expect that this draft reflects the full breadth and depth of the information needed to fully automate the descriptions for vulnerabilities. Reviewers are asked to provide feedback on terminology that is unclear, in conflict with established practice and are encouraged to provide feedback and examples where the current draft falls short in enabling the description of a vulnerability. Future drafts will be produced attempting to incorporate feedback consistent with the purpose of the document and the goal of improving the final version.

Abstract

Keywords

taxonomy; vulnerabilities; software defects; vulnerability management; patching; ontology
Control Families

Configuration Management

Documentation

Publication:
Draft NISTIR 8138 (pdf)

Supplemental Material:
Vulntology Project -- current project on GitHub

Document History:
09/30/16: IR 8138 (Draft)

Topics

Security and Privacy

security automation, threats, vulnerability management