CISA Announces CVE Enrichment Project ‘Vulnrichment’

Share This Post

The US cybersecurity agency CISA on Wednesday announced a new project that aims to add important information to CVE records in an effort to help organizations improve their vulnerability management processes.

The project is named Vulnrichment and its goal is the enrichment of public CVE records with Common Platform Enumeration (CPE), Common Vulnerability Scoring System (CVSS), Common Weakness Enumeration (CWE), and Known Exploited Vulnerabilities (KEV) data.

CISA says it has already enriched 1,300 CVEs — particularly new and recent CVEs — and is asking all CVE numbering authorities (CNAs) to provide complete information when submitting vulnerability information to CVE.org. 

The agency says it’s initially taking each CVE through a Stakeholder-Specific Vulnerability Categorization (SSVC) scoring process. 

SSVC, developed by CISA in collaboration with Carnegie Mellon University’s Software Engineering Institute, provides a vulnerability analysis methodology that accounts for a vulnerability’s exploitation status, safety impact, and prevalence of the affected product.

In the next phase, further analysis is conducted for vulnerabilities that have a high-impact, are automatable, have PoC exploit code available, or are already being exploited in attacks.  

CISA says the information added as part of the Vulnrichment project can help organizations prioritize remediation efforts and understand trends, and it can drive vendors to address entire classes of vulnerabilities.

The Vulnrichment project is hosted on GitHub and each enriched CVE entry is available in JSON format to allow organizations to easily incorporate the updates into their vulnerability management processes. 

Advertisement. Scroll to continue reading.

CISA is often the first to issue public warnings about a vulnerability being exploited in the wild. The agency’s KEV catalog, which includes over 1,100 exploited flaw entries, has become an important resource for vulnerability management.

Related: Zoom Unveils Open Source Vulnerability Impact Scoring System

Related: Faster Patching Pace Validates CISA’s KEV Catalog Initiative

Related: CISA Releases Decision Tree Model to Help Companies Prioritize Vulnerability Patching

This post was originally published on this site

More Articles
Article

Navigating SEC Regulations In Cybersecurity And Incident Response

Free video resource for cybersecurity professionals. As 2024 approaches, we all know how vital it is to keep up to date with regulatory changes that affect our work. We get it – it’s a lot to juggle, especially when you’re in the trenches working on an investigation, handling, and responding to incidents.

Report

Harassment or bullying behavior
Contains mature or sensitive content
Contains misleading or false information
Contains abusive or derogatory content
Contains spam, fake content or potential malware

Block Member?

Please confirm you want to block this member.

You will no longer be able to:

  • See blocked member's posts
  • Mention this member in posts
  • Invite this member to groups
  • Message this member
  • Add this member as a connection

Please note: This action will also remove this member from your connections and send a report to the site admin. Please allow a few minutes for this process to complete.

Report

You have already reported this .