NIST will start publishing vendor responses to vulnerability alerts as part of its National Vulnerability Database, which lists security holes by assigning unique Common Vulnerability Enumeration numbers.
According to Red Hat security response director Mark Cox, who says the project was his idea, the scheme is designed to give vendors a way to let their customers know when they are not affected by a vulnerability.
The CVE system gives vendors a chance to respond to alerts, but it is compiled by NIST calling the vendors, and it sometimes just lists what products contain the vulnerability.
Customers can easily find out about things that do affect them, but can not easily find out about things that do not, so they call our customer support or customer service, Cox said.
For example, the BIND vulnerability that came out this week doesn’t affect them but we had no easy way to tell customers they were not affected, he added.
The new system requires the vendors to sign up for an NVD account, after which they can push out their own commentaries on specific vulnerabilities. This way, customers don’t have to call up customer support lines to find out if they’re affected.
The premise of this came about because of an Apache vulnerability that only affected vendors that had compiled Apache in certain way, Cox said, referring to the popular web server product.
Vulnerability CVE-2006-3747, which affected the mod_rewrite function of Apache, only applied to versions of Apache that had been compiled with some padding in the stack memory.
While Cox acknowledged that the program is most useful for open source software vendors, which often sell the same basic code, albeit packaged differently, he said proprietary software vendors will benefit too. Apache, for example, can be licensed commercially.
So far, Red Hat and Mandriva are believed to be the first two companies to sign up for the NIST service.
