A History In Open Vulnerability Management Standards and Initiatives

In the landscape of cybersecurity, vulnerability management stands as a critical line of defense, evolving to meet the relentless advancements of cyber threats. Over the past two decades, the field has witnessed a proliferation of vulnerabilities, with the National Vulnerability Database (NVD) currently documenting over 200,000 vulnerabilities. This escalation underscores the imperative need for robust, efficient vulnerability management standards and initiatives which is the focus of the timeline created.

This document endeavors to chart the trajectory of significant milestones, standards, and open-source projects that have emerged in the realm of vulnerability management since 1999. The primary focus of this guide is on CVE based vulnerabilities. By providing a historical lens, we aim to furnish readers with insights into the development and progression of crucial initiatives designed to catalog, assess, and mitigate vulnerabilities. Each section herein is headed by a project and its launch year, followed by a concise summary encapsulating its origins, objectives, and contributions to the broader vulnerability management framework.

Through this chronological mapping, we present a tapestry of concerted efforts and innovations that have collectively shaped the current state of vulnerability management. As cyber risks continue to morph and escalate, understanding the historical context and evolution of these standards and tools is instrumental for both cybersecurity professionals and organizations committed to safeguarding their digital assets and networks against the ever-present and evolving cyber threats.

Join Patrick Garrity, Chris Hughes and Nikki Robinson for a roundtable on Navigating the Challenges of Vulnerability Management which will include discussing open prioritization standards. Register Here!

1998 - Nessus (Not Depicted)

In 1998 Renaud Deraison created The Nessus Project as a free remote security scanner. On October 5 2005, with the release of Nessus 3, the project changed from the GNU Public License to a proprietary license.

https://en.wikipedia.org/wiki/Nessus_(software)

1999 - CVE List

In 1999, the groundwork for the CVE List was laid by MITRE Corporation’s David E. Mann and Steven M. Christey through their white paper, Towards a Common Enumeration of Vulnerabilities. This initiative led to the formation of a working group and creation of the initial 321 CVE Records, with the CVE List officially launching for public access in September 1999.

https://www.cve.org/About/History

2003 - Metasploit

The Metasploit Project, initiated by H.D. Moore in 2003, is renowned for its open-source Metasploit Framework, a potent tool developed for crafting and executing exploit codes against remote target machines. Beyond the framework, Metasploit offers a collection of sub-projects, including the Opcode Database, shellcode archive, and various anti-forensic and evasion tools.

https://docs.metasploit.com/

2005 - CVSS v1

2005 saw the introduction of the Common Vulnerability Scoring System (CVSS) Version 1, established with the aim of providing standardized severity ratings for software vulnerabilities. The initiative was pioneered by Mike Schiffman, Gerhard Eschelbeck, Dave Ahmed, Andrew Wright and Sasha Romanosky. Although it wasn’t perfect, feedback from its initial use provided invaluable insights for its future refinement and development.

https://www.first.org/cvss/v1/

2005 - NIST National Vulnerability Database

The U.S. National Vulnerability Database (NVD), established in 2005, serves as a comprehensive repository and reference tool for cybersecurity vulnerabilities, built upon and synchronized with the CVE List. This database is crucial for various stakeholders in cybersecurity, offering detailed information on current vulnerabilities.

https://nvd.nist.gov/general/nvd-dashboard

2006 - OpenVAS

In 2006, several forks of Nessus were created in response to the discontinuation of the open-source solution. Of these forks, only one has continued to show activity: OpenVAS, the Open Vulnerability Assessment System.

https://openvas.org/

2007 - CVSS v2

CVSS Version 2 was unveiled in 2007, marking a significant upgrade from its predecessor. This release was announced collaboratively by the Forum of Incident Response and Security Teams (FIRST) and the Common Vulnerability Scoring System-Special Interest Group (CVSS-SIG).

https://www.first.org/cvss/v2/

2015 - CVSS v3

Initiated in 2012, the development of CVSS Version 3 culminated in its release in June 2015. This iteration brought about numerous changes, including modifications to the numerical formulas, metrics, and the introduction of new severity ratings, providing a more refined and effective tool for assessing software vulnerabilities.

https://www.first.org/cvss/v3-0/

2016 - CVE Numbering Authority Expanded

In 2016, an active expansion of organizations participating as CVE Numbering Authorities (CNAs) was initiated. CNAs are pivotal to the building of the CVE List, as every CVE Record is added by a CNA. This collaborative effort continues to grow, engaging more organizations globally to partner with the CVE Program.

https://www.cve.org/About/History

2017 - Github Security Advisories

Github introduced its Security Advisory Database in 2017, providing a curated list of known security vulnerabilities and malware. The database aggregates information from various sources, including advisories reported on GitHub, the NVD, and several other advisory databases. It publishes advisories in the Open Source Vulnerability (OSV) format, contributing significantly to global cybersecurity efforts.

https://docs.github.com/en/code-security/security-advisories/working-with-global-security-advisories-from-the-github-advisory-database/about-the-github-advisory-database

2019 - CVSS v3.1

June 17, 2019, marked the release of CVSS Version 3.1, a minor but important update aimed at improving clarity and usability without introducing new metrics. This version incorporated valuable insights from industry experts and refined various aspects of the CVSS standard to better align with the evolving cybersecurity landscape.

https://www.first.org/cvss/v3-1/

2019 - Stakeholder-Specific Vulnerability Categorization (SSVC)

The Stakeholder-Specific Vulnerability Categorization (SSVC) was introduced in 2019 as a testable model to aid organizations in prioritizing their vulnerability management activities. Developed to address the limitations of CVSS, the SSVC offers decision trees tailored for different stakeholder communities in vulnerability management, providing a viable, empirical alternative for vulnerability prioritization. SSVC was created by Jonathon Spring, Eric Hatleback, Allen D. Householder, Art Manion and Deana Shick.

https://insights.sei.cmu.edu/library/prioritizing-vulnerability-response-a-stakeholder-specific-vulnerability-categorization-version-20/

2021 - EPSS v1

Launched in January 2021, the Exploit Prediction Scoring System (EPSS) Version 1 offered a data-driven approach to estimating the likelihood of a vulnerability being exploited. With the objective of aiding network defenders in prioritizing remediation efforts, EPSS v1 provided a simple, interpretable, and parsimonious model to assess threat levels associated with different vulnerabilities. EPSS was created by Jay Jacobs, Sasha Romanosky, Ben Edwards, Idris Adjerid, and Michael Roytman

https://www.first.org/epss/

2021 - CISA KEV

The Known Exploited Vulnerability (KEV) catalog, maintained by CISA, serves as the authoritative source for vulnerabilities exploited in the wild. It offers a crucial resource for network defenders and organizations looking to mitigate known threats by prioritizing the remediation of listed vulnerabilities.

All federal civilian executive branch (FCEB) agencies are required to remediate vulnerabilities in the KEV catalog within prescribed timeframes under Binding Operational Directive (BOD) 22-01, Reducing the Significant Risk of Known Exploited Vulnerabilities.  Although not bound by BOD 22-01, every organization, including those in state, local, tribal, and territorial (SLTT) governments and private industry can significantly strengthen their security and resilience posture by prioritizing the remediation of the vulnerabilities listed in the KEV catalog as well.
 

https://www.cisa.gov/known-exploited-vulnerabilities

2022 - EPSS v2

EPSS v2, released in 2022, marked a significant evolution with the integration of over 1,100 variables in a centralized, API-driven model. This enhanced version utilized a gradient-boosted tree-based model for daily scoring, offering improved accuracy and performance in predicting vulnerability exploitations in the next 30 days.

https://www.cyentia.com/epss-version-2-is-out/

2023 - EPSS v3

EPSS v2, released in 2022, marked a significant evolution with the integration of over 1,100 variables in a centralized, API-driven model. This enhanced version utilized a gradient-boosted tree-based model for daily scoring, offering improved accuracy and performance in predicting vulnerability exploitations in the next 30 days.

https://www.cyentia.com/epss-version-2-is-out/

2023 - CVSS v4.pp

CVSS Version 4.0, also released in 2023, introduced various enhancements including new nomenclature, metrics, and values to provide a more nuanced understanding of vulnerabilities. With additional focus on OT/ICS/Safety, this version offers a comprehensive tool for assessing and scoring vulnerabilities, aiding various stakeholders in the cybersecurity ecosystem.

https://www.first.org/cvss/v4-0/