Leading Linux vendor Red Hat is developing a new software vulnerability database with the National Institute of Standards and Technology (NIST). The database will give vendors of both open source and proprietary software a place to post official statements and security related information pertaining to their own projects and products.
At Red Hat’s recommendation to NIST, the new security information service will be implemented within the agency’s National Vulnerability Database (NVD) and will be based on the Common Vulnerabilities and Exposures naming standard for “an open, transparent forum to contribute information about vulnerabilities,” according to Red Hat.
While open source software vendors are generally good at notifying users of existing vulnerabilities, they are not always as good at notifying them when they are not likely to be affected by those vulnerabilities. The new service will help with that, Red Hat Security Response Director Mark Cox told LinuxInsider.
The idea for the new service arose last month, when an Apache Web server vulnerability affected a number of open source software stacks and Linux distributions, but did not affect Red Hat specifically, Cox explained.
There was no good vehicle to inform concerned users that they would not be affected, he noted, adding that this is a problem that is beginning to occur more frequently.
The issue is common among software vendors and distributors who fold multiple open source applications into their own software products.
The new vulnerability reporting service could provide a solid resource for software users and security experts, particularly with NIST acting as a gatekeeper, and for government users, IT-Harvest Founder and Chief Research Analyst Richard Stiennon told LinuxInsider.
However, he warned that a simple database may not be very useful, and said an infrastructure will be required to provide truly helpful vulnerability information.
Red Hat and NIST did indicate that a complete XML feed from the vulnerability reporting service will be updated every two hours.
Another potential issue for the new database is that it must avoid compulsory reporting, which could become onerous, Stiennon remarked. If reporting is completely voluntary, though, it could become bogged down in vendor spin, he added.
Spin would be reasonably easy to spot, according to Red Hat’s Cox, who said he expects many vendors to take advantage of the new service.
“We’re going to take a leadership position and show vendors how useful this is,” he said.
With this and other initiatives, the open source side of the software industry has displayed a superior approach to security, Stiennon opined.
“I think they’re setting the bar at the highest level in IT security,” he said of open source software projects, which typically allow users to sign up for access to the latest security updates and notifications.
Conversely, proprietary software vendors typically try to hide information about vulnerabilities in their products, or hold off on disclosure until a patch or other fix is ready, Stiennon said.