Given the increase in successful attacks against all forms of IT infrastructure it has become obvious that current efforts to track vulnerabilities using vulnerability identifiers has reached its limit. Identifiers need to be easily discovered, fast to assign,updatable, and publicly available. The number of vulnerabilities is growing faster than we are currently able to track them.
With the proliferation of open source usage in services and commercial software the requirements for vulnerability identifiers have changed. The need for increased scope of coverage, deeper reporting and information, and reduced latency are now requirements. Everyone in IT is building and consuming software in unique ways, there is no one single way in our modern infrastructure; any attempt at a one-size-fits-all is doomed to failure.
The initial working group is meant to identify and understand the problems around vulnerability discovery, reporting, publication, tracking, and classification. Using the same style of open source collaborative techniques that have worked to create the software ecosystem that we have today the CSA is creating a community focussed working group meant to replicate this success in the vulnerability identifier problem space.
The CSA Circle Community is available at https://csaurl.org/circle-uvi.
There is also a mailing list at https://csaurl.org/list-uvi.