The NVD, or National Vulnerability Database, is a vehicle for housing software vulnerability data. The NVD is a repository of information that a function of United States government.
The NVD consists of numerous tools around the discovery and distribution of software flaws. These include: software feeds for sharing information, prevention checklists, and ways for measuring the impact of software exploits.
- The NVD stores, distributes, and analyzes Common Vulnerabilities and Exposures (CVE).
- CVE impact is measured using the Common Vulnerability Scoring System (CVSS).
- Exploit/vulnerability types are categorized using Common Weakness Enumeration (CWE).
- Applicability statements called Common Platform Enumeration (CPE)
What The NVD Isn’t
Importantly, the NVD does not engage in software security testing. The organization coordinates with third-party vendors, such as computer security researchers and computer security firms, in order to discus vulnerabilities and to ultimately catalog them.
NVD Background
The NVD is made possible through NIST, the National Institute of Standards and Technology, which is part of the United States Department of Commerce (DOC).
The practices of the NVD are outlined using the Security Content Automation Protocol (SCAP).
The larger program started in 1999 as the Internet Categorization of Attacks Toolkit (ICAT), as outlined in this October 1999 research paper.
While not specifically discussed, the functions of the NVD, SCAP, and other tools and governmental organizationals are covered in the US Code of Federal Regulations Title 6.