Enhancing CVE Records as an Authorized Data Publisher

Show Notes

Kent Landfield of McAfee and Art Manion of CERT/CC discuss how the CVE Program’s upcoming release of JSON 5.0 will allow for additional and related information to be added to CVE Records after they have been published by CVE Numbering Authorities (CNAs). These additions — such as risk scores, affected product lists, versions, references, translations, etc. — will be made by “Authorized Data Publishers (ADPs),” which will be organizations authorized within the CVE Program to enrich the records. Also discussed are the benefits of enriched CVE Records to downstream users and the overall vulnerability management community, the use of Stakeholder-specific Vulnerability Categorization (SSVC), and plans and expectations for the upcoming ADP pilot.