The point of my statement is quite simple. We already have mature vulnerability databases in the form of the OSVDB & ISS X-Force Database. Both databases are peer reviewed, and are open for comment. Both are superior to the NVD.

The OSVDB is ran by several security professionals from the elite within the security community. ISS X-Force likewise has a stellar reputation for accuracy. These organizations do have their own rigorous standards, as seen by the quality of their work.

Your assumption that the OSVDB & ISS will manipulate data within their databases is just as likely as the NVD personnel altering the NVD, in order to prove to obtain more funding for the NVD project.

This is a prime example of something the private industry is doing better, faster, cheaper than the federal government.

Common Criteria evaluations & FIPS compliancies have been sourced now to commercial laboratories, because they are faster and more economical than government. They have more incentive to perform their work better.

If Commercial interests can be trusted to perform CC & FIPS work, then vulnerability databases also belong in the private sector.

As for your arguement about the size of an organization being relevant, ISS X-Force & OSVDB are much larger than the NVD team. Although the size of the organization has little consequence on the quality of the output, again your own points defeat you.

In general, I find your response to be characterized by a logical fallacy "Government is to be trusted more so than private, open source, or commercial entities". Is that why the Clipper chip is so popular?

Cheers!

[ reply ]

Link to this comment: http://www.securityfocus.com/comments/articles/11278/32331#32331