漏洞数据的关键问题

Top Concerns withVulnerability Data The permanent and official location for the Vulnerability Data Working Group ishttps://cloudsecurityalliance.org/research/working-groups/vulnerability-data Acknowledgments Lead Authors Abhineeth PasamAhaan Sinha Reviewers Alan Curran MScAnita WhitbyCharan AkiriClifton FernandesDebrup GhoshEdward NewmanGene SchankJames Morgan-JonesMallika GunturuMark SzalkiewiczMeghana ParwateMichael RozaPrateek MittalRahul KalvaRajashekar YasaniRhitvik SinhaShruti DhumakSudheer VallandasVani Murthy CSA Global Staff Josh BukerStephen LumpeKurt Seifried Table of Contents Acknowledgments........................................................................................................................................................3Table of Contents.........................................................................................................................................................4Introduction...................................................................................................................................................................5Role of Vulnerability Data............................................................................................................................................5Current State of Vulnerability Data....................................................................................................................6Identifying the Current Challenges........................................................................................................................... 6CVE......................................................................................................................................................................... 6Data Quality and Fidelity..............................................................................................................................6Perverse Incentives to not Create CVEs.................................................................................................... 7Finding Relevant Vulnerability Data............................................................................................................ 7Notifying Project Maintainers...................................................................................................................... 8Lack of Interoperability.................................................................................................................................8Resolving Disputes........................................................................................................................................ 9Complexity of Reporting Vulnerabilities.....................................................................................................9Increasing Number of CVEs Every Year....................................................................................................10CVSS.......................................................................................................................................................................11Disadvantages of CVSS......................................................................................................................................12Inability to Prioritize Risk............................................................................................................................................12Static Scoring System..................................................................................................................................13User Stories................................................................................................................................................................. 13cURL...................................................................................................................................................................... 13Custom Solutions................................................................................................................................................ 14Alternatives to CVSS..................................................................................................................................................15EPSS......................................................................................................................................................................15SSVC..................................................................................................................................................................... 16VPR........................................................................................................................................................................ 16Threat Modeling Frameworks................................................................................................................................... 18What Is Threat Modeling?..................