NIST releases vulnerability database

The National Institute of Standards and Technology has launched a comprehensive cybersecurity vulnerability database that is updated daily with the latest information on vulnerabilities in popular products.

The National Vulnerability Database (NVD) integrates all publicly available U.S. government vulnerability resources and provides references to industry resources. The Web site, nvd.nist.gov, contains about 12,000 vulnerability entries with around 10 being added per day, said Peter Mell, a senior computer scientist with NIST and creator of NVD.

The database will be useful to the public for detailed information about vulnerabilities within specific products and trends within industry segments as well as developers who need to import vulnerability information into their security products, Mell said.

The NVD is funded by the Department of Homeland Security’s National Cyber Security Division and is designed to complement the department’s suite of vulnerability management offerings, Mell said. DHS’ Technical Cyber Security Alerts and Vulnerability Notes contain detailed information, but warn the public only about the most critical vulnerabilities, he said.

The NVD, on the other hand, “is an encyclopedia of everything,” Mell said.

The database is built completely on the Common Vulnerabilities and Exposures (CVE) naming standard, which was developed by representatives from academia, government and industry.

Maintained by Mitre Corp., CVE is a dictionary, not a database. It is designed to make it easier to share data across separate vulnerability databases and security tools. About 300 security products use CVE to identify vulnerabilities and facilitate interoperability between those products. NVD will aid that interoperability effort by enhancing the CVE name standard with detailed vulnerability information, Mell said.

The entire NVD database of vulnerability information is freely available to the public as an Extensible Markup Language (XML) feed. This will help developers include the information within their IT security products. The NVD can also generate statistics that reveal vulnerability discovery trends within industry segments and products, Mell said.

A statistics generation engine lets users chart and graph custom statistics. For instance, they can see that vulnerabilities such as buffer overflows, which have been around for a long time, are still being discovered in large numbers even though tools are available to eliminate this problem, Mell said.