Not just obtain an identifier, but publish it in an easily found location, we can't ask people to keep an on all sorts of random locations in case a security vulnerability they care about pops up on it, we need to help people with discovery, and it can't lag for days or weeks, it should take seconds or minutes. A perfect example is Debian, they have thousands of security advisories, not all of which have CVEs, so now you have to parse ALL their advisories, this is workable for one vendor, but most companies rarely use a single vendor for all their software. We'll be working on a proof-of-concept hopefully this weekend for UVI coverage of ALL of Debians vulnerabilities using an automated system.
------------------------------
Kurt Seifried
Chief Blockchain Officer and Director of Special Projects
Cloud Security Alliance
[email protected]------------------------------
Original Message:
Sent: Jul 15, 2021 02:50:34 PM
From: Jim Reavis
Subject: New working group - Universal Vulnerability Identifier
This is the brainchild of @Kurt Seifried and @Josh Bressers. They have shown me several use cases in the industry where any number of researchers or technology stewards need to rapidly obtain a vulnerability ID that is similar to a CVE and quickly push it out to a universally accessible vulnerability DB.
https://cloudsecurityalliance.org/blog/2021/07/15/got-vulnerability-cloud-security-alliance-wants-to-identify-it/
------------------------------
Jim Reavis CCSK
Cloud Security Alliance
Bellingham WA
------------------------------