The US cybersecurity agency CISA on Wednesday announced a new project that aims to add important information to CVE records in an effort to help organizations improve their vulnerability management processes.
The project is named Vulnrichment and its goal is the enrichment of public CVE records with Common Platform Enumeration (CPE), Common Vulnerability Scoring System (CVSS), Common Weakness Enumeration (CWE), and Known Exploited Vulnerabilities (KEV) data.
CISA says it has already enriched 1,300 CVEs — particularly new and recent CVEs — and is asking all CVE numbering authorities (CNAs) to provide complete information when submitting vulnerability information to CVE.org.
The agency says it’s initially taking each CVE through a Stakeholder-Specific Vulnerability Categorization (SSVC) scoring process.
SSVC, developed by CISA in collaboration with Carnegie Mellon University’s Software Engineering Institute, provides a vulnerability analysis methodology that accounts for a vulnerability’s exploitation status, safety impact, and prevalence of the affected product.
In the next phase, further analysis is conducted for vulnerabilities that have a high-impact, are automatable, have PoC exploit code available, or are already being exploited in attacks.
CISA says the information added as part of the Vulnrichment project can help organizations prioritize remediation efforts and understand trends, and it can drive vendors to address entire classes of vulnerabilities.
The Vulnrichment project is hosted on GitHub and each enriched CVE entry is available in JSON format to allow organizations to easily incorporate the updates into their vulnerability management processes.
CISA is often the first to issue public warnings about a vulnerability being exploited in the wild. The agency’s KEV catalog, which includes over 1,100 exploited flaw entries, has become an important resource for vulnerability management.
Related: Zoom Unveils Open Source Vulnerability Impact Scoring System
Related: Faster Patching Pace Validates CISA’s KEV Catalog Initiative
Related: CISA Releases Decision Tree Model to Help Companies Prioritize Vulnerability Patching
