Sharing Vulnerability Information using a Taxonomically-correct, Web-based Cooperative Database

Software vulnerabilities are potential attack points in computing systems that can lead to considerable losses and severe security incidents. The way in which the information describing these vulnerabilities is handled is extremely important. Vulnerability data is very sensitive and therefore should be disclosed to the right people in the right circumstances. However, information sharing is currently mostly unidirectional; the present paper discusses a new approach for handling software vulnerability information: a cooperative system supported by a vulnerability classification. The system is composed by internal protocols that determine state transitions through which new vulnerability information is submitted, classified, verified, and made available via a Web Interface. Based on features like effects and nature, vulnerabilities in the collection can also be assigned a type. The proposed type system is a set of sub-classes that contain features of well-known vulnerability groups. Vulnerabilities can be linked together through these types and can be referenced as a group when retrieving or storing entries, hereby, speeding up the process. A voting mechanism allows a set of cooperating arbiters to review the information submitted from different sources. Approved descriptions of vulnerabilities can then be made available to the members of the cooperative system. The data model storing the vulnerability information is composed of a comprehensive set of features whose values are selected through decision trees. The leaves of the trees represent the most detailed qualities of a vulnerability.