Help Net Security interviewed Art Manion, Tharros, FIRST Liaison Member, FIRST VRDX-SIG Chair, CVE Board Member, CVE SPWG Chair, on why vulnerability databases keep failing us, and what the community needs to do about it.
Highlights:
- Stop treating this as a data problem, it's first an architecture problem
- There is no minimum set of assertions that can confirm two systems describe the same vulnerability
- CVSS scores are pulling attention away from the harder work of real risk assessment
- 50%+ of vendor names in NVD's CPE data have naming inconsistencies, if you can't identify the product, nothing else matters
- Before writing new specs or building new tools, the community needs shared terms and principles
This research is part of ongoing collaborative work with Jay Jacobs, Co-Founder & Data Scientist, Empirical Security, FIRST EPSS-SIG Co-Chair, CVE Consumer WG Chair.
Catch Art and Jay live at #VulnCon26: 'A Paradigm Shift in Vulnerability Identity: Why Vulnerability Databases Struggle' — April 14, 1:30–2:30 PM MST.
📖 Read the full interview: https://go.first.org/jnofT