Patrick Garrity 👾🛹💙’s Post

We understand that timely and accurate information about Common Vulnerabilities and Exposures (CVEs) is critical to help organizations prioritize remediation, understand trends, and drive vendors to address classes of vulnerability.  Today, we want to inform organizations of an enrichment effort we are calling "Vulnrichment," which focuses on adding Common Platform Enumeration, Common Vulnerability Scoring System, Common Weakness Enumeration, and Known Exploited Vulnerabilities to CVEs. We recently enriched 1,300 CVEs and continue to diligently work to ensure all submitted CVEs are enriched. We ask all CVE Numbering Authorities (CNAs) to provide complete CVEs when making initial submission to CVE.org. Soon, we’ll also start sharing decision points from CISA’s Stakeholder-Specific Vulnerability Categorization (SSVC). We will use CVE JSON format so stakeholders can immediately start incorporating these updates into vulnerability management processes. This enrichment effort can be found at our Vulnrichment GitHub Repository: https://lnkd.in/gbgHjGZ9. Our GitHub approach includes a readme with more info and enables stakeholders to report errors and offer suggestions directly to CISA. If you have questions or constructive input on vulnerability enrichment, please contact us at [email protected]. 

We understand that timely and accurate information about Common Vulnerabilities and Exposures (CVEs) is critical to help organizations prioritize remediation, understand trends, and drive vendors to address classes of vulnerability.  Today, we want to inform organizations of an enrichment effort we are calling "Vulnrichment," which focuses on adding Common Platform Enumeration, Common Vulnerability Scoring System, Common Weakness Enumeration, and Known Exploited Vulnerabilities to CVEs. We recently enriched 1,300 CVEs and continue to diligently work to ensure all submitted CVEs are enriched. We ask all CVE Numbering Authorities (CNAs) to provide complete CVEs when making initial submission to CVE.org. Soon, we’ll also start sharing decision points from CISA’s Stakeholder-Specific Vulnerability Categorization (SSVC). We will use CVE JSON format so stakeholders can immediately start incorporating these updates into vulnerability management processes. This enrichment effort can be found at our Vulnrichment GitHub Repository: https://lnkd.in/gbgHjGZ9. Our GitHub approach includes a readme with more info and enables stakeholders to report errors and offer suggestions directly to CISA. If you have questions or constructive input on vulnerability enrichment, please contact us at [email protected]. 

We understand that timely and accurate information about Common Vulnerabilities and Exposures (CVEs) is critical to help organizations prioritize remediation, understand trends, and drive vendors to address classes of vulnerability.  Today, we want to inform organizations of an enrichment effort we are calling "Vulnrichment," which focuses on adding Common Platform Enumeration, Common Vulnerability Scoring System, Common Weakness Enumeration, and Known Exploited Vulnerabilities to CVEs. We recently enriched 1,300 CVEs and continue to diligently work to ensure all submitted CVEs are enriched. We ask all CVE Numbering Authorities (CNAs) to provide complete CVEs when making initial submission to CVE.org. Soon, we’ll also start sharing decision points from CISA’s Stakeholder-Specific Vulnerability Categorization (SSVC). We will use CVE JSON format so stakeholders can immediately start incorporating these updates into vulnerability management processes. This enrichment effort can be found at our Vulnrichment GitHub Repository: https://lnkd.in/gbgHjGZ9. Our GitHub approach includes a readme with more info and enables stakeholders to report errors and offer suggestions directly to CISA. If you have questions or constructive input on vulnerability enrichment, please contact us at [email protected]. 

We understand that timely and accurate information about Common Vulnerabilities and Exposures (CVEs) is critical to help organizations prioritize remediation, understand trends, and drive vendors to address classes of vulnerability.  Today, we want to inform organizations of an enrichment effort we are calling "Vulnrichment," which focuses on adding Common Platform Enumeration, Common Vulnerability Scoring System, Common Weakness Enumeration, and Known Exploited Vulnerabilities to CVEs. We recently enriched 1,300 CVEs and continue to diligently work to ensure all submitted CVEs are enriched. We ask all CVE Numbering Authorities (CNAs) to provide complete CVEs when making initial submission to CVE.org. Soon, we’ll also start sharing decision points from CISA’s Stakeholder-Specific Vulnerability Categorization (SSVC). We will use CVE JSON format so stakeholders can immediately start incorporating these updates into vulnerability management processes. This enrichment effort can be found at our Vulnrichment GitHub Repository: https://lnkd.in/gbgHjGZ9. Our GitHub approach includes a readme with more info and enables stakeholders to report errors and offer suggestions directly to CISA. If you have questions or constructive input on vulnerability enrichment, please contact us at [email protected]. 

We understand that timely and accurate information about Common Vulnerabilities and Exposures (CVEs) is critical to help organizations prioritize remediation, understand trends, and drive vendors to address classes of vulnerability.  Today, we want to inform organizations of an enrichment effort we are calling "Vulnrichment," which focuses on adding Common Platform Enumeration, Common Vulnerability Scoring System, Common Weakness Enumeration, and Known Exploited Vulnerabilities to CVEs. We recently enriched 1,300 CVEs and continue to diligently work to ensure all submitted CVEs are enriched. We ask all CVE Numbering Authorities (CNAs) to provide complete CVEs when making initial submission to CVE.org. Soon, we’ll also start sharing decision points from CISA’s Stakeholder-Specific Vulnerability Categorization (SSVC). We will use CVE JSON format so stakeholders can immediately start incorporating these updates into vulnerability management processes. This enrichment effort can be found at our Vulnrichment GitHub Repository: https://lnkd.in/gbgHjGZ9. Our GitHub approach includes a readme with more info and enables stakeholders to report errors and offer suggestions directly to CISA. If you have questions or constructive input on vulnerability enrichment, please contact us at [email protected]. 

As I am still relatively new to Vulnerability Management, I came across this article and found it super resourceful: https://lnkd.in/e_EnD6dH Some takeaways: - Understand the CVE Program structure, where CISA and NVD come into play. This helps shed some more light on the lack of CVE analysis from NVD, and CISA's new vulnrichment program and where things align in regards to vulnerability management and CVE enrichment. - A reiteration of my previous post, how CISA KEV is a good starting point for focusing on bringing down the number of vulns. in your environment, but should not be taken as the single source of truth. - EPSS Scores and what they really mean