Security Market Segment LS
Wednesday, 18 July 2018 10:45

No standards for vulnerability database, but 'US has set norms'


There are no universal standards for a vulnerability database but the US national vulnerability database was the first to be set up and has set the norms for others, a researcher at the threat intelligence firm Recorded Future says.

Priscilla Moriuchi, a former NSA employee, was responding to queries from iTWire about a research brief that painted Russia's national vulnerability database as "incomplete, slow, and likely intended to support the control of the Russian state over technology companies and users".

Moriuchi said the fact that the US was first, did not mean that every nation needed to follow its standards and norms.

"However, vulnerability disclosure is inherently a transparency process, intended to promote global Internet security and when nations use their vulnerability disclosure processes to support intelligence operations, that global Internet trust and security is undermined," she added.

The Recorded Future brief also pointed out that Russia's vulnerability database "publishes only 10% of known vulnerabilities, is on average 83 days slower than China’s national vulnerability database, 50 days slower than the US NVD, and incomplete in the few technologies it does cover".

When it was pointed out to Moriuchi that Russian infosec workers could obtain details about a vulnerability from databases other than that run by their own country, she said the point sought to be made was that the Russian effort was a poor resource.

"Our goal in examining various countries' vulnerability databases is simply to compare and contrast their performance and utility," she said.

"Citizens of Russia certainly can browse to another nation's vulnerability database. Our point is simply that in terms of performance and utility, Russia's vulnerability database is a poor resource for citizens and network defenders."

Moriuchi and fellow researcher Dr Bill Ladd had also said in their study that the Russian database excluded vulnerabilities about content management systems.

When iTWire suggested that perhaps this was because these systems were not important to Russia, Moriuchi replied: "Each nation chooses which vulnerabilities to publish and how to publish them."

Recorded Future has, in the past, also done a study of China's national vulnerability database and found that the authorities there have altered dates to try and make it appear that serious vulnerabilities were published ahead of the US national database.

WEBINAR event: IT Alerting Best Practices 27 MAY 2PM AEST

LogicMonitor, the cloud-based IT infrastructure monitoring and intelligence platform, is hosting an online event at 2PM on May 27th aimed at educating IT administrators, managers and leaders about IT and network alerts.

This free webinar will share best practices for setting network alerts, negating alert fatigue, optimising an alerting strategy and proactive monitoring.

The event will start at 2pm AEST. Topics will include:

- Setting alert routing and thresholds

- Avoiding alert and email overload

- Learning from missed alerts

- Managing downtime effectively

The webinar will run for approximately one hour. Recordings will be made available to anyone who registers but cannot make the live event.



Security requirements such as confidentiality, integrity and authentication have become mandatory in most industries.

Data encryption methods previously used only by military and intelligence services have become common practice in all data transfer networks across all platforms, in all industries where information is sensitive and vital (financial and government institutions, critical infrastructure, data centres, and service providers).

Get the full details on Layer-1 encryption solutions straight from PacketLight’s optical networks experts.

This white paper titled, “When 1% of the Light Equals 100% of the Information” is a must read for anyone within the fiber optics, cybersecurity or related industry sectors.

To access click Download here.


Sam Varghese

website statistics

Sam Varghese has been writing for iTWire since 2006, a year after the site came into existence. For nearly a decade thereafter, he wrote mostly about free and open source software, based on his own use of this genre of software. Since May 2016, he has been writing across many areas of technology. He has been a journalist for nearly 40 years in India (Indian Express and Deccan Herald), the UAE (Khaleej Times) and Australia (Daily Commercial News (now defunct) and The Age). His personal blog is titled Irregular Expression.



Recent Comments