A Framework for Vulnerability Reports Consortium to Enhance Standard Way to Exchange Breach Information
A consortium of eight major information technology companies is continuing development of a free framework designed to make it easier to exchange information about security vulnerabilities.

The Industry Consortium for Advancement of Security on the Internet last year released the first version of the Common Vulnerability Reporting Framework, and it's now working on enhancements, says Russell Smoak, the group's newly elected president.

The goal of the framework, Smoak says, is "to allow for consistency in how vendors, researchers and customers exchange vulnerability information in an automated format." For example, he explains, an organization that's a customer of three companies that have all been affected by a data breach could receive consistent reports and then more promptly take appropriate action.

"It streamlines risk management," he said in an interview Feb. 28 at a consortium meeting held in conjunction with the RSA Conference in San Francisco. "It speeds the response in the event of a breach."

In the interview, Smoak also:

  • Provides more details about the framework, which is available, along with a white paper, for free on the consortium's website;
  • Describes the mission of the organization. "It's really a peer group of incident responders ... that allows us to collaborate very closely in dealing with some of security vulnerabilities and incident handling across the Internet."
  • Discusses another project designed to develop best practices for how to manage threats from vulnerabilities in open source software.

Smoak is director and manager of security research and operations at Cisco Systems, a founding member of the consortium. Other members are Intel, IBM, Juniper Networks, Microsoft, Nokia, Amazon and Oracle.




Around the Network