Cleaning the NVD: Comprehensive Quality Assessment, Improvements, and Analyses
This addresses data reliability issues for security professionals who depend on vulnerability databases, though it is incremental as it focuses on improving an existing database.
The paper assessed the quality of the National Vulnerability Database (NVD), uncovering inconsistent or incomplete data affecting vulnerability details like dates, severity scores, and categorizations, and demonstrated the impact by comparing analyses using original and rectified versions.
Vulnerability databases are vital sources of information on emergent software security concerns. Security professionals, from system administrators to developers to researchers, heavily depend on these databases to track vulnerabilities and analyze security trends. How reliable and accurate are these databases though? In this paper, we explore this question with the National Vulnerability Database (NVD), the U.S. government's repository of vulnerability information that arguably serves as the industry standard. Through a systematic investigation, we uncover inconsistent or incomplete data in the NVD that can impact its practical uses, affecting information such as the vulnerability publication dates, names of vendors and products affected, vulnerability severity scores, and vulnerability type categorizations. We explore the extent of these discrepancies and identify methods for automated corrections. Finally, we demonstrate the impact that these data issues can pose by comparing analyses using the original and our rectified versions of the NVD. Ultimately, our investigation of the NVD not only produces an improved source of vulnerability information, but also provides important insights and guidance for the security community on the curation and use of such data sources.