Vulnerability Response Decision Assistance

  • Hal Burch
  • Art Manion
  • Yurie Ito
Part of the Lecture Notes in Electrical Engineering book series (LNEE, volume 30)


Each year, thousands of new software vulnerabilities are reported, and affected organizations must analyze them and decide how to respond. Many organizations employ ad hoc systems of decision making, which often result in inconsistent decisions that do not properly reflect the concerns of the organization at large. VRDA (Vulnerability Response Decision Assistance) allows organizations to leverage the analysis effort at other organizations and to structure decision-making. VRDA enables organizations to spend less time analyzing vulnerabilities in which they are not interested, to make decisions more consistently, and to structure their decision making to better align with the goals of the organization. VRDA consists of a data exchange format, a decision making model, a decision model creation technique, and a tool embodying these concepts. One response team is employing a basic form of VRDA to cut the number of vulnerabilities analyzed by a factor of two. Another response team is developing and testing a VRDA implementation within their organization.


Response Decision Response Team World Fact Arbitrary Code Software Vulnerability 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. [1]
    CERT/CC Statistics 1988 – 2006,
  2. [2]
    National Vulnerability Database (NVD) Statistics,
  3. [3]
    Terada, M.: VULDEF: The VULnerability Data publication and Exchange Format data model,
  4. [4]
    Russell, S., Norvig P.: Artificial Intelligence: A Modern Approach. Prentice-Hall, Englewood Cliff, NJ (1995)MATHGoogle Scholar
  5. [5]
  6. [6]
    Forum of Incident Response Teams: Common Vulnerability Scoring System (CVSS),,
  7. [7]
    RUS-CERT: Common Announcement Interchange Format (CAIF),
  8. [8]
    Grobauer, B.: CVE, CME,..., CMSI? – Standardizing System Information,
  9. [9]
    European Information Security Promotion Programme (EISPP): Common Advisory Format Description 2.0,
  10. [10]
    Deutscher CERT-Verbund: Deutsches Advisory Format (DAF),, 2004.
  11. [11]
  12. [12]
    US-CERT Vulnerability Notes Field Descriptions – Metric,
  13. [13]
    Common Vulnerabilities and Exposures (CVE),
  14. [14]
    Vulnerability and Assessment Language (OVAL),
  15. [15]
  16. [16]
    Vulnerability and eXposure Markup Language (VuXML),
  17. [17]
    OSVDB: The Open Source Vulnerability Database,
  18. [18]

Copyright information

© Springer Science+Business Media, LLC 2009

Authors and Affiliations

  1. 1.Carnegie Mellon UniversityPittsburghUSA
  2. 2.Japan Computer Emergency Response Team Coordination CenterTokyoJapan

Personalised recommendations