Internet DRAFT - draft-booth-sacm-vuln-model

draft-booth-sacm-vuln-model






Internet Engineering Task Force                                 H. Booth
Internet-Draft                           National Institute of Standards
Intended status: Informational                            and Technology
Expires: October 27, 2013                                    K. Scarfone
                                                  Scarfone Cybersecurity
                                                          April 25, 2013


                        Vulnerability Data Model
                     draft-booth-sacm-vuln-model-02

Abstract

   This Internet-Draft describes the Vulnerability Data Model (VDM)
   version 1.0, a vendor neutral data model for expressing data and
   metadata for individual vulnerabilities, and an XML format that can
   be used to exchange vulnerability data model information.  VDM
   provides standard fields, formats and vocabularies that can be used
   to transmit information about software vulnerabilities between
   entities in an interoperable manner.  VDM is suited for a wide
   variety of use cases, and provides extension points to facilitate
   additional use cases.

Status of this Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list of current Internet-
   Drafts is at http://datatracker.ietf.org/drafts/current/.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   This Internet-Draft will expire on October 27, 2013.

Copyright Notice

   Copyright (c) 2013 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (http://trustee.ietf.org/license-info) in effect on the date of



Booth & Scarfone        Expires October 27, 2013                [Page 1]

Internet-Draft          Vulnerability Data Model              April 2013


   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.  Code Components extracted from this document must
   include Simplified BSD License text as described in Section 4.e of
   the Trust Legal Provisions and are provided without warranty as
   described in the Simplified BSD License.


Table of Contents

   1.  Introduction . . . . . . . . . . . . . . . . . . . . . . . . .  5
     1.1.  Purpose and Scope  . . . . . . . . . . . . . . . . . . . .  5
     1.2.  Audience . . . . . . . . . . . . . . . . . . . . . . . . .  6
     1.3.  Document Structure . . . . . . . . . . . . . . . . . . . .  6
   2.  Document Conventions . . . . . . . . . . . . . . . . . . . . .  7
   3.  Terms and Abbreviations  . . . . . . . . . . . . . . . . . . .  8
     3.1.  Terms  . . . . . . . . . . . . . . . . . . . . . . . . . .  8
     3.2.  Acronyms . . . . . . . . . . . . . . . . . . . . . . . . .  8
   4.  Relationship to Existing Standards and Specifications  . . . .  9
   5.  Conformance  . . . . . . . . . . . . . . . . . . . . . . . . .  9
     5.1.  Capability Conformance . . . . . . . . . . . . . . . . . .  9
     5.2.  Content Conformance  . . . . . . . . . . . . . . . . . . . 10
   6.  Vulnerability Data Model Overview  . . . . . . . . . . . . . . 10
   7.  Data Model Description . . . . . . . . . . . . . . . . . . . . 10
     7.1.  Component Schemas  . . . . . . . . . . . . . . . . . . . . 10
     7.2.  XML Data Model Requirements  . . . . . . . . . . . . . . . 11
       7.2.1.  Vulnerability Data Model XML . . . . . . . . . . . . . 13
         7.2.1.1.  vulnerabilityType  . . . . . . . . . . . . . . . . 13
         7.2.1.2.  vulnerabilityIdType  . . . . . . . . . . . . . . . 15
         7.2.1.3.  vulnerabilityAliasType . . . . . . . . . . . . . . 15
           7.2.1.3.1.  vulnerabilityAliasEnumType . . . . . . . . . . 16
         7.2.1.4.  metadataType . . . . . . . . . . . . . . . . . . . 16
           7.2.1.4.1.  vulnerabilityRecordStatusEnumType  . . . . . . 18
           7.2.1.4.2.  extendedLifecycleEventType . . . . . . . . . . 18
           7.2.1.4.3.  supersessionType . . . . . . . . . . . . . . . 19
           7.2.1.4.4.  lifecycleEventType . . . . . . . . . . . . . . 19
         7.2.1.5.  targetedTextType . . . . . . . . . . . . . . . . . 21
           7.2.1.5.1.  textTargetInformationType  . . . . . . . . . . 21
           7.2.1.5.2.  localeTextType . . . . . . . . . . . . . . . . 22
         7.2.1.6.  vulnerabilityReferencesType  . . . . . . . . . . . 22
           7.2.1.6.1.  vulnerabilityReferenceType . . . . . . . . . . 22
           7.2.1.6.2.  referenceType  . . . . . . . . . . . . . . . . 23
           7.2.1.6.3.  referenceItemType  . . . . . . . . . . . . . . 24
           7.2.1.6.4.  embeddedReferenceItemType  . . . . . . . . . . 24
           7.2.1.6.5.  externalReferenceItemType  . . . . . . . . . . 25
           7.2.1.6.6.  localeNotesType  . . . . . . . . . . . . . . . 25
         7.2.1.7.  vulnerableSoftwareType . . . . . . . . . . . . . . 25
         7.2.1.8.  vulnerableConfigurationType  . . . . . . . . . . . 26



Booth & Scarfone        Expires October 27, 2013                [Page 2]

Internet-Draft          Vulnerability Data Model              April 2013


           7.2.1.8.1.  assessmentMethodType . . . . . . . . . . . . . 27
           7.2.1.8.2.  checkReferenceType . . . . . . . . . . . . . . 28
           7.2.1.8.3.  checkSearchType  . . . . . . . . . . . . . . . 28
         7.2.1.9.  vulnerabilityAnalysisType  . . . . . . . . . . . . 28
           7.2.1.9.1.  internalReferenceType  . . . . . . . . . . . . 29
           7.2.1.9.2.  cvss2ImpactType  . . . . . . . . . . . . . . . 29
           7.2.1.9.3.  impactType . . . . . . . . . . . . . . . . . . 30
           7.2.1.9.4.  vulnerabilityCharacteristicType  . . . . . . . 30
       7.2.2.  CVSS v2  . . . . . . . . . . . . . . . . . . . . . . . 31
         7.2.2.1.  cvssType . . . . . . . . . . . . . . . . . . . . . 31
         7.2.2.2.  cvssImpactType . . . . . . . . . . . . . . . . . . 31
         7.2.2.3.  cvssImpactBaseType . . . . . . . . . . . . . . . . 32
         7.2.2.4.  cvssImpactTemporalType . . . . . . . . . . . . . . 32
         7.2.2.5.  cvssImpactEnvironmentalType  . . . . . . . . . . . 32
         7.2.2.6.  metricsType  . . . . . . . . . . . . . . . . . . . 32
         7.2.2.7.  baseMetricsType  . . . . . . . . . . . . . . . . . 33
           7.2.2.7.1.  zeroToTenDecimalType . . . . . . . . . . . . . 34
           7.2.2.7.2.  accessVectorType . . . . . . . . . . . . . . . 34
           7.2.2.7.3.  accessVectorEnumType . . . . . . . . . . . . . 34
           7.2.2.7.4.  accessComplexityType . . . . . . . . . . . . . 35
           7.2.2.7.5.  accessComplexityEnumType . . . . . . . . . . . 35
           7.2.2.7.6.  authenticationType . . . . . . . . . . . . . . 35
           7.2.2.7.7.  authenticationEnumType . . . . . . . . . . . . 36
           7.2.2.7.8.  ciaType  . . . . . . . . . . . . . . . . . . . 36
           7.2.2.7.9.  ciaEnumType  . . . . . . . . . . . . . . . . . 36
         7.2.2.8.  environmentalMetricsType . . . . . . . . . . . . . 36
           7.2.2.8.1.  collateralDamagePotentialType  . . . . . . . . 38
           7.2.2.8.2.  collateralDamagePotentialEnumType  . . . . . . 38
           7.2.2.8.3.  targetDistributionType . . . . . . . . . . . . 38
           7.2.2.8.4.  targetDistributionEnumType . . . . . . . . . . 39
           7.2.2.8.5.  ciaRequirementType . . . . . . . . . . . . . . 39
           7.2.2.8.6.  ciaRequirementEnumType . . . . . . . . . . . . 39
         7.2.2.9.  temporalMetricsType  . . . . . . . . . . . . . . . 40
           7.2.2.9.1.  exploitabilityType . . . . . . . . . . . . . . 41
           7.2.2.9.2.  exploitabilityEnumType . . . . . . . . . . . . 41
           7.2.2.9.3.  remediationLevelType . . . . . . . . . . . . . 41
           7.2.2.9.4.  remediationLevelEnumType . . . . . . . . . . . 41
           7.2.2.9.5.  confidenceType . . . . . . . . . . . . . . . . 42
           7.2.2.9.6.  confidenceEnumType . . . . . . . . . . . . . . 42
   8.  Controlled Vocabularies  . . . . . . . . . . . . . . . . . . . 42
     8.1.  event-type . . . . . . . . . . . . . . . . . . . . . . . . 42
     8.2.  intended-uses  . . . . . . . . . . . . . . . . . . . . . . 43
     8.3.  content-type . . . . . . . . . . . . . . . . . . . . . . . 45
     8.4.  reference-type . . . . . . . . . . . . . . . . . . . . . . 45
   9.  Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 46
   10. IANA Considerations  . . . . . . . . . . . . . . . . . . . . . 46
   11. Security Considerations  . . . . . . . . . . . . . . . . . . . 46
   12. Normative References . . . . . . . . . . . . . . . . . . . . . 47



Booth & Scarfone        Expires October 27, 2013                [Page 3]

Internet-Draft          Vulnerability Data Model              April 2013


   Appendix A.  Use Cases . . . . . . . . . . . . . . . . . . . . . . 47
     A.1.  OEM Vendor Statements  . . . . . . . . . . . . . . . . . . 47
     A.2.  Security Researchers . . . . . . . . . . . . . . . . . . . 48
     A.3.  System Design and Planning . . . . . . . . . . . . . . . . 48
     A.4.  Assessment Content Authoring . . . . . . . . . . . . . . . 49
     A.5.  Certification and Accreditation  . . . . . . . . . . . . . 49
   Appendix B.  VDM Examples  . . . . . . . . . . . . . . . . . . . . 50
     B.1.  Sample 1 . . . . . . . . . . . . . . . . . . . . . . . . . 51
     B.2.  Sample 2 . . . . . . . . . . . . . . . . . . . . . . . . . 52
     B.3.  Sample 3 . . . . . . . . . . . . . . . . . . . . . . . . . 53
     B.4.  Sample 4 . . . . . . . . . . . . . . . . . . . . . . . . . 56
   Appendix C.  Vulnerability Data Model Schema . . . . . . . . . . . 58
   Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 76






































Booth & Scarfone        Expires October 27, 2013                [Page 4]

Internet-Draft          Vulnerability Data Model              April 2013


1.  Introduction

   A vulnerability may be defined as an error, flaw, or mistake in
   computer software that permits or causes an unintended behavior to
   occur.  As an example, the Common Vulnerabilities and Exposure (CVE)
   dictionary provides a list of known vulnerabilities.  Since the
   unintended behavior of a vulnerability often has computer security
   implications, exchanging vulnerability information to understand the
   impact of a vulnerability to an enterprise, and to prioritize
   remediation is often desirable.

   Sharing vulnerability information among individuals, products, and
   organizations has been challenging because of a lack of standardized
   vulnerability data fields, vocabularies, and formats.  The National
   Vulnerability Database (NVD) has been producing vulnerability
   information for over ten years and this document documents and
   improves upon the data feeds currently provided by the NVD to
   establish the Vulnerability Data Model (VDM); a common basis upon
   which to share vulnerability information.  The Vulnerability Data
   Model facilitates communication of vulnerability information by
   enumerating common data fields and vocabularies useful for describing
   individual vulnerabilities.

   The vulnerability data model and associated exchange format are
   intended for use by universal vulnerability data feeds, such as those
   that would be produced by a vulnerability database or security
   service provider for consuming organizations.  Additionally, the
   vulnerability date model exchange format incorporates extension
   points to allow producer specific data to be incorporated into a data
   feed which may be optionally processed by a consuming organization
   that understands the producer specific data.

1.1.  Purpose and Scope

   This report defines the Vulnerability Data Model and XML data
   exchange format.  The report gives an introduction to VDM version
   1.0, defines the vulnerability data model, and documents conformance
   requirements to comply with VDM 1.0.  The vulnerability data model
   has been divided into two component models: vulnerability core and
   CVSS version 2 models.  Other versions of VDM are not addressed here.
   Future versions of VDM will be defined in distinct revisions of this
   report, each clearly labeled with a revision number and the
   appropriate VDM version number.

   This report does not describe the queries, instructions, methods,
   processes, or data required to produce a VDM document.  This report
   does not describe how to transform any specific data model or data
   set into a VDM document.  This report provides normative guidance



Booth & Scarfone        Expires October 27, 2013                [Page 5]

Internet-Draft          Vulnerability Data Model              April 2013


   relating to the production and consumption of the XML vulnerability
   data model format.  The appendices contain additional information
   about how to use VDM.

1.2.  Audience

   This document is intended for individuals or organizations intending
   to make use of the vulnerability data model to either produce or
   consume vulnerability information.  Possible uses of the
   vulnerability data model may be as part of a product or service
   delivery effort such as a vulnerability database or vulnerability
   scanning tool, by vendors wishing to supply vulnerability information
   to end users in a human readable format,, and by researchers
   analyzing vulnerability information.  Readers of this report should
   already be familiar with basic vulnerability characteristics and
   concepts.

1.3.  Document Structure

   The remainder of this document is organized into the following major
   sections:

   o  Section 2 defines the document's conventions.

   o  Section 3 defines the terms used within this specification and
      provides a list of common abbreviations.

   o  Section 4 describes how this specification relates to other
      standards and specifications.

   o  Section 5 defines the conformance requirements for VDM.

   o  Section 6 provides an overview of the VDM data model constructs
      and key concepts.

   o  Section 7 documents the VDM data model.

   o  Section 8 lists existing controlled vocabulary items.

   o  Section 9 provides acknowledgments for the document.

   o  Section 10 discusses IANA considerations.

   o  Section 11 discusses security considerations.

   o  Section 12 provides a list of normative references for the
      document.




Booth & Scarfone        Expires October 27, 2013                [Page 6]

Internet-Draft          Vulnerability Data Model              April 2013


   o  Appendix A describes use cases for VDM.

   o  Appendix B provides some VDM examples.

   o  Appendix C contains the VDM XML schema.


2.  Document Conventions

   Throughout this specification, when referencing a normative
   reference, the name will be written between brackets, such as [XSD].

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
   document are to be interpreted as described in RFC 2119 [RFC2119].

   XML elements [XML] are referred to using qualified names when they
   are not in the VDM namespace.  Elements with no prefix can be assumed
   to be in the VDM namespace, unless otherwise noted.  A qualified name
   associates a named element with a namespace.  The namespace
   identifies the specific XML schema that defines (and consequently may
   be used to validate) the syntax of the element instance.  A qualified
   name declares this schema to element association using the format
   'prefix:element-name'.  The association of prefix to namespace is
   defined in the metadata of an XML document and varies from document
   to document.  In this specification, the conventional mappings listed
   in Table 1 are used.

   +--------+-------------------------------------+---------+----------+
   | Mappin | Namespace URI                       | Schema  | Referenc |
   | gs     |                                     |         | e        |
   | Prefix |                                     |         |          |
   +--------+-------------------------------------+---------+----------+
   | cpe-la | http://cpe.mitre.org/language/2.0   | CPE     | [CPE]    |
   | ng     |                                     |         |          |
   | cvssv2 | http://scap.nist.gov/schema/cvss-v2 | CVSS v2 | [CVSSv2] |
   |        | /1.0                                |         |          |
   | dcterm | http://purl.org/dc/terms/           | Dublin  | [DCTERMS |
   | s      |                                     | Core    | ]        |
   |        |                                     | Metadat |          |
   |        |                                     | a Terms |          |
   | xsd    | http://www.w3.org/2001/XMLSchema    | XML     | [XSD]    |
   |        |                                     | Schema  |          |
   | xsi    | http://www.w3.org/2001/XMLSchema-in | XML     | [XSI]    |
   |        | stance                              | Schema  |          |
   |        |                                     | Instanc |          |
   |        |                                     | e       |          |
   +--------+-------------------------------------+---------+----------+



Booth & Scarfone        Expires October 27, 2013                [Page 7]

Internet-Draft          Vulnerability Data Model              April 2013


                    Table 1: Conventional XML Mappings


3.  Terms and Abbreviations

   This section defines a set of common terms and abbreviations used
   within this specification.

3.1.  Terms

   Data Source: The origin of the vulnerability data.

   Vulnerability: An error, flaw, or mistake in computer software that
   permits or causes an unintended behavior to occur.

3.2.  Acronyms

   CPE - Common Platform Enumeration

   CVE - Common Vulnerabilities and Exposures

   CVSS - Common Vulnerability Scoring System

   CWE - Common Weakness Enumeration

   IR - Interagency Report

   IT - Information Technology

   NIST - National Institute of Standards and Technology

   OVAL - Open Vulnerability and Assessment Language

   SCAP - Security Content Automation Protocol

   SP - Special Publication

   URI - Universal Resource Identifier

   USGCB - United States Government Configuration Baseline

   VDM - Vulnerability Data Model

   W3C - World Wide Web Consortium

   XCCDF - Extensible Configuration Checklist Description Format

   XML - Extensible Markup Language



Booth & Scarfone        Expires October 27, 2013                [Page 8]

Internet-Draft          Vulnerability Data Model              April 2013


   XSD - XML Schema

   XSLT - Extensible Stylesheet Language Transformations


4.  Relationship to Existing Standards and Specifications

   VDM's relationships to other selected specifications are described
   below.

   1.  CPE - VDM leverages CPE to identify affected platforms and
       products.  Information about the CPE specification can be found
       at: http://scap.nist.gov/specifications/cpe/.

   2.  CVSS - VDM uses CVSS to provide metrics and scores for
       vulnerabilities.  Information about the CVSS specification can be
       found at: http://www.first.org/cvss/.

   3.  CWE - VDM leverages CWE to identify the type of software weakness
       underlying a vulnerability.  Information about the CWE
       specification can be found at: http://cwe.mitre.org/.


5.  Conformance

   Developers and organizations may want to build products in
   conformance with VDM to foster consistency and interoperability of
   their own products.  End-user organizations may wish to require
   conformance with VDM in order to have a predictable defined format
   that products and tools used within their environment will produce
   and consume.  In addition, products that conform to this
   specification will be better able to interoperate and exchange
   reporting information with other products that conform to VDM.

   Products may want to claim conformance with this specification to
   advertise their interoperability with other VDM compliant tools and
   repositories, as well as to meet requirements set by other
   specifications or organizations.

   The following sections define the criteria for content and products
   to claim conformance with this specification.

5.1.  Capability Conformance

   There are two types of VDM capabilities: producers and consumers.  A
   producer has the capability to generate VDM documents, while a
   consumer has the capability to accept an existing VDM document and
   process it.  To claim conformance to one or more capabilities defined



Booth & Scarfone        Expires October 27, 2013                [Page 9]

Internet-Draft          Vulnerability Data Model              April 2013


   within this specification the following requirements SHALL be adhered
   to:

   1.  For producer capability, generate well-formed content as defined
       in Section 5.2.

   2.  For consumer capability, accept and process well-formed content
       as defined in Section 5.2.

   3.  Make an explicit claim of conformance to this specification in
       any documentation provided to end users.

5.2.  Content Conformance

   In order for a VDM document to be considered in compliance with this
   specification, the report MUST adhere to the following requirements:

   1.  The VDM document SHALL conform to all of the normative guidance
       provided in Section 7.


6.  Vulnerability Data Model Overview

   This section is to be developed in the future.  It will provide an
   overview of the vulnerability data model structure and design
   philosophy.


7.  Data Model Description

   This section describes the requirements for the vulnerability data
   model manifested as Extensible Markup Language (XML).  Section 7.1
   discusses the component schemas, while Section 7.2 examines the
   actual XML data model in detail.

7.1.  Component Schemas

   The vulnerability data model was designed in a modular fashion, with
   multiple schemas developed to encourage composability and
   reusability.  Items with similar properties and uses are grouped into
   the same namespace.










Booth & Scarfone        Expires October 27, 2013               [Page 10]

Internet-Draft          Vulnerability Data Model              April 2013


                    ===============
                   |Vuln Data Model|
                    ===============
                           |
                           |
                           |
                           |
                           |
                     =============
                    |    CVSSv2    |
                     =============

                Figure 1: Vulnerability Data Model Schemas

   o  CVSS v2: The CVSS v2 schema represents CVSS version 2 scores.  The
      information includes CVSS base metrics, environmental metrics and
      temporal metrics.  See Section 7.2.2 and [CVSSv2] for more
      information on the CVSS v2 schema.

   o  Vulnerability Data Model: The vulnerability data model provides a
      representation of the vulnerability information.  See
      Section 7.2.1 and Appendix C for more information on the
      vulnerability data model schema.

7.2.  XML Data Model Requirements

   The vulnerability element is the root element of the Vulnerability
   Data Model; it is of the vulnerabilityType type.  It contains
   identification, metadata, and additional information about an
   individual Vulnerability in a vulnerability document.  See
   Section 7.2.1.1 for additional information on the vulnerability
   element.


   +---------------+
   | vulnerability |
   +---------------+
   |               |<>----------[ vulnerability-id         ]
   |               |<>--{0..*}--[ vulnerability-id-alias   ]
   |               |<>--{0..1}--[ record-metadata          ]
   |               |<>--{1..*}--[ text                     ]
   |               |<>--{0..1}--[ references               ]
   |               |<>--{0..1}--[ vulnerable-software-list ]
   |               |<>--{0..*}--[ vulnerable-configuration ]
   |               |<>--{0..1}--[ analysis                 ]
   |               |<>--{0..*}--[ ##other                  ]
   +---------------+




Booth & Scarfone        Expires October 27, 2013               [Page 11]

Internet-Draft          Vulnerability Data Model              April 2013


                      Figure 2: Vulnerability Element

   In order to comply with the VDM data model,

   o  The user MUST produce an XML vdm:vulnerability element consistent
      with the data model described below.

   o  The XML element produced MUST validate against the XSD for
      Vulnerability Data Model 1.0 listed in Appendix C.  In situations
      where the XSD does not match the documented model elsewhere in
      this specification, the XSD SHALL take precedence.

   The following tables formalize the data model.  The data contained in
   the tables are requirements and MUST be interpreted as follows:

   o  If present, the "Type Name" field indicates the name for the XML
      type being described.

   o  The "Definition" field indicates the prose description of the
      type/element.  The definition field MAY contain requirement words
      as indicated in [RFC2119].

   o  If present, the "Properties" field is broken into four subfields:

      *  The "Name" column indicates the name of a property that MAY or
         MUST be included in the described type/element, in accordance
         with the cardinality indicated in the "Count" field

      *  The "Type" column indicates the REQUIRED data type for the
         value of the property.  There are three categories of types:
         literal, element, and special.  A literal type will indicate
         the type of literal as defined in [XSD].  An element type will
         reference the name of another element that defines that
         property.  A special type is listed when the type is neither
         literal nor element.  The special type will indicate the nature
         of permitted content, such as allowing any XML to be used.

      *  The "Count" column indicates the cardinality of the property
         within the type/element.  The property MUST be included in the
         type/element in accordance with the cardinality.  If a range is
         given, and "n" is the upper-bound of the range, then the upper
         limit is unbounded.

      *  The "Definition" column defines the property in the context of
         the type/element.  The definition MAY contain requirement words
         as indicated in [RFC2119].





Booth & Scarfone        Expires October 27, 2013               [Page 12]

Internet-Draft          Vulnerability Data Model              April 2013


7.2.1.  Vulnerability Data Model XML

   The vulnerability data model defines the various constructs that are
   used to provide vulnerability information.

7.2.1.1.  vulnerabilityType

   vulnerabilityType holds all of the information about a given
   vulnerability.

   +--------------------+-----------------------+-------+--------------+
   | Name               | Type                  | Count | Definition   |
   +--------------------+-----------------------+-------+--------------+
   | vulnerability-id   | vulnerabilityIdType   | 1     | The unique   |
   | (element)          |                       |       | identifier   |
   |                    |                       |       | for the      |
   |                    |                       |       | vulnerabilit |
   |                    |                       |       | y in regards |
   |                    |                       |       | to this      |
   |                    |                       |       | vulnerabilit |
   |                    |                       |       | y data       |
   |                    |                       |       | source.      |
   | vulnerability-id-a | vulnerabilityAliasTyp | 0-n   | Additional   |
   | lias (element)     | e                     |       | identifiers  |
   |                    |                       |       | for the      |
   |                    |                       |       | vulnerabilit |
   |                    |                       |       | y that       |
   |                    |                       |       | represent it |
   |                    |                       |       | in other     |
   |                    |                       |       | data         |
   |                    |                       |       | sources. An  |
   |                    |                       |       | example      |
   |                    |                       |       | would be a   |
   |                    |                       |       | CVE          |
   |                    |                       |       | identifier.  |
   | record-metadata    | metadataType          | 0-1   | Additional   |
   | (element)          |                       |       | metadata     |
   |                    |                       |       | about the    |
   |                    |                       |       | record.      |












Booth & Scarfone        Expires October 27, 2013               [Page 13]

Internet-Draft          Vulnerability Data Model              April 2013


   | text (element)     | targetedTextType      | 1-n   | Provides     |
   |                    |                       |       | textual      |
   |                    |                       |       | information  |
   |                    |                       |       | about the    |
   |                    |                       |       | vulnerabilit |
   |                    |                       |       | y, such as   |
   |                    |                       |       | different    |
   |                    |                       |       | texts for    |
   |                    |                       |       | different    |
   |                    |                       |       | audiences.   |
   |                    |                       |       | See Table 50 |
   |                    |                       |       | for a list   |
   |                    |                       |       | of valid     |
   |                    |                       |       | values.      |
   | references         | vulnerabilityReferenc | 0-1   | References   |
   | (element)          | esType                |       | to           |
   |                    |                       |       | additional   |
   |                    |                       |       | information  |
   |                    |                       |       | about the    |
   |                    |                       |       | vulnerabilit |
   |                    |                       |       | y.           |
   | vulnerable-softwar | vulnerableSoftwareTyp | 0-1   | A list of    |
   | e-list (element)   | e                     |       | CPE names    |
   |                    |                       |       | correspondin |
   |                    |                       |       | g to the     |
   |                    |                       |       | software     |
   |                    |                       |       | versions     |
   |                    |                       |       | that have    |
   |                    |                       |       | this         |
   |                    |                       |       | vulnerabilit |
   |                    |                       |       | y.           |
   | vulnerable-configu | vulnerableConfigurati | 0-n   | A CPE        |
   | ration (element)   | onType                |       | Language     |
   |                    |                       |       | construct    |
   |                    |                       |       | that         |
   |                    |                       |       | identifies   |
   |                    |                       |       | the          |
   |                    |                       |       | conditions   |
   |                    |                       |       | under which  |
   |                    |                       |       | the          |
   |                    |                       |       | vulnerabilit |
   |                    |                       |       | y exists.    |









Booth & Scarfone        Expires October 27, 2013               [Page 14]

Internet-Draft          Vulnerability Data Model              April 2013


   | analysis (element) | vulnerabilityAnalysis | 0-n   | Characterist |
   |                    | Type                  |       | ics and      |
   |                    |                       |       | impact of    |
   |                    |                       |       | the          |
   |                    |                       |       | vulnerabilit |
   |                    |                       |       | y,           |
   |                    |                       |       | optionally   |
   |                    |                       |       | split based  |
   |                    |                       |       | on           |
   |                    |                       |       | configuratio |
   |                    |                       |       | n.           |
   | ##other (element)  | xsd:any               | 0-n   | Provides an  |
   |                    |                       |       | extension    |
   |                    |                       |       | point for    |
   |                    |                       |       | additional   |
   |                    |                       |       | information. |
   +--------------------+-----------------------+-------+--------------+

                   Table 2: vulnerabilityType Properties

7.2.1.2.  vulnerabilityIdType

   vulnerabilityIdType is a type used to represent the ID of a
   vulnerability, with the id given to the vulnerability record by the
   identified system provider.  The combination of system and id MUST be
   globally unique.  Extends xsd:token.

   +-------------+------------+-------+--------------------------------+
   | Name        | Type       | Count | Definition                     |
   +-------------+------------+-------+--------------------------------+
   | system      | xsd:string | 1     | The identification system used |
   | (attribute) |            |       | to assign the associated id.   |
   +-------------+------------+-------+--------------------------------+

                  Table 3: vulnerabilityIdType Properties

7.2.1.3.  vulnerabilityAliasType

   vulnerabilityAliasType is a type used to represent the alias of a
   vulnerability.  Extends vulnerabilityIdType.











Booth & Scarfone        Expires October 27, 2013               [Page 15]

Internet-Draft          Vulnerability Data Model              April 2013


   +-------------+----------------------------+-------+----------------+
   | Name        | Type                       | Count | Definition     |
   +-------------+----------------------------+-------+----------------+
   | relationshi | vulnerabilityAliasEnumType | 1     | Represents the |
   | p           |                            |       | relationship   |
   | (attribute) |                            |       | of the         |
   |             |                            |       | vulnerabilty   |
   |             |                            |       | to another     |
   |             |                            |       | vulnerability. |
   +-------------+----------------------------+-------+----------------+

                Table 4: vulnerabilityAliasType Properties

7.2.1.3.1.  vulnerabilityAliasEnumType

   The enumeration of available relationships between vulnerabilities
   that exist in different naming systems.

   Allowed enumeration values: CORRESPONDS, INCLUDED_IN, INCLUDES,
   OVERLAPS

   CORRESPONDS: This vulnerability corresponds to another vulnerability.

   INCLUDED_IN: This vulnerability is included in another vulnerability.

   INCLUDES: This vulnerability includes another vulnerability.

   OVERLAPS: This vulnerability overlaps another vulnerability.

7.2.1.4.  metadataType

   metadataType is a type used to represent the metadata associated with
   the vulnerability.


















Booth & Scarfone        Expires October 27, 2013               [Page 16]

Internet-Draft          Vulnerability Data Model              April 2013


   +------------+-------------------------------+-------+--------------+
   | Name       | Type                          | Count | Definition   |
   +------------+-------------------------------+-------+--------------+
   | status     | vulnerabilityRecordStatusEnum | 0-1   | Records the  |
   | (element)  | Type                          |       | status of    |
   |            |                               |       | the          |
   |            |                               |       | vulnerabilit |
   |            |                               |       | y record     |
   |            |                               |       | within the   |
   |            |                               |       | scope of the |
   |            |                               |       | primary      |
   |            |                               |       | namespace.   |
   |            |                               |       | Default      |
   |            |                               |       | value is     |
   |            |                               |       | "VALID".     |
   | event      | extendedLifecycleEventType    | 0-n   | Identifies   |
   | (element)  |                               |       | significant  |
   |            |                               |       | events in    |
   |            |                               |       | the          |
   |            |                               |       | lifecycle of |
   |            |                               |       | the entity.  |
   |            |                               |       | The          |
   |            |                               |       | available    |
   |            |                               |       | types of     |
   |            |                               |       | events are   |
   |            |                               |       | listed in    |
   |            |                               |       | Table 48.    |
   |            |                               |       | The event    |
   |            |                               |       | element      |
   |            |                               |       | SHALL NOT    |
   |            |                               |       | have more    |
   |            |                               |       | than one     |
   |            |                               |       | event of a   |
   |            |                               |       | particular   |
   |            |                               |       | type.        |
















Booth & Scarfone        Expires October 27, 2013               [Page 17]

Internet-Draft          Vulnerability Data Model              April 2013


   | supersessi | supersessionType              | 0-1   | Information  |
   | on         |                               |       | used to      |
   | (element)  |                               |       | indicate     |
   |            |                               |       | supersession |
   |            |                               |       | relationship |
   |            |                               |       | s for a      |
   |            |                               |       | record. This |
   |            |                               |       | element is   |
   |            |                               |       | only to be   |
   |            |                               |       | used if the  |
   |            |                               |       | record has   |
   |            |                               |       | been         |
   |            |                               |       | superseded   |
   |            |                               |       | or if the    |
   |            |                               |       | record has   |
   |            |                               |       | superseded   |
   |            |                               |       | another      |
   |            |                               |       | entry.       |
   +------------+-------------------------------+-------+--------------+

                     Table 5: metadataType Properties

7.2.1.4.1.  vulnerabilityRecordStatusEnumType

   The vulnerabilityRecordStatusEnumType defines the allowed values for
   the available vulnerability record statuses.

   Allowed enumeration values: VALID, INVALID, MERGED, SPLIT, DUPLICATE.

   MERGED: with one or more other vulnerability identifiers into a
   single vulnerability identifier.

   SPLIT: into two or more other vulnerability identifiers.

   DUPLICATE: of another vulnerability identifier.

   INVALID: vulnerability identifier that did not meet the content
   decision criteria.

7.2.1.4.2.  extendedLifecycleEventType

   extendedLifecycleEventType identifies a significant event in the
   lifecycle of the entity.  It extends lifecycleEventType.








Booth & Scarfone        Expires October 27, 2013               [Page 18]

Internet-Draft          Vulnerability Data Model              April 2013


   +-------------+------------+-------+--------------------------------+
   | Name        | Type       | Count | Definition                     |
   +-------------+------------+-------+--------------------------------+
   | event-type  | xsd:anyURI | 1-n   | Identifies the type of the     |
   | (attribute) |            |       | event. See Table 48 for more   |
   |             |            |       | information.                   |
   +-------------+------------+-------+--------------------------------+

              Table 6: extendedLifecycleEventType Properties

7.2.1.4.3.  supersessionType

   supersessionType provides a type to encapsulate supersession
   information.

   +-----------------+---------------------+-------+-------------------+
   | Name            | Type                | Count | Definition        |
   +-----------------+---------------------+-------+-------------------+
   | supersedes      | vulnerabilityIdType | 0-n   | If this record    |
   | (element)       |                     |       | supersedes        |
   |                 |                     |       | another entry,    |
   |                 |                     |       | the identifier of |
   |                 |                     |       | the entry that it |
   |                 |                     |       | supersedes.       |
   | supersedes_info | lifecycleEventType  | 0-1   | The date and time |
   | (element)       |                     |       | when the record   |
   |                 |                     |       | superseded        |
   |                 |                     |       | another entry.    |
   | superseded_by   | vulnerabilityIdType | 0-n   | If this record    |
   | (element)       |                     |       | has been          |
   |                 |                     |       | superseded by     |
   |                 |                     |       | another entry,    |
   |                 |                     |       | the identifier of |
   |                 |                     |       | that entry.       |
   | superseded_info | lifecycleEventType  | 0-1   | The date and time |
   | (element)       |                     |       | when the record   |
   |                 |                     |       | was superseded by |
   |                 |                     |       | another entry.    |
   +-----------------+---------------------+-------+-------------------+

                   Table 7: supersessionType Properties

7.2.1.4.4.  lifecycleEventType

   Metadata for a resource.






Booth & Scarfone        Expires October 27, 2013               [Page 19]

Internet-Draft          Vulnerability Data Model              April 2013


   +-------------------+---------------------+-------+-----------------+
   | Name              | Type                | Count | Definition      |
   +-------------------+---------------------+-------+-----------------+
   | identifier        | dcterms:identifier  | 0-n   | A reference to  |
   | (element)         |                     |       | the resource    |
   |                   |                     |       | (such as an     |
   |                   |                     |       | identifier).    |
   | date (element)    | dcterms:date        | 0-n   | The date when   |
   |                   |                     |       | an event        |
   |                   |                     |       | occurred.       |
   | creator (element) | dcterms:creator     | 0-n   | The             |
   |                   |                     |       | organization or |
   |                   |                     |       | individual      |
   |                   |                     |       | responsible for |
   |                   |                     |       | creating the    |
   |                   |                     |       | resource.       |
   | contributor       | dcterms:contributor | 0-n   | The             |
   | (element)         |                     |       | organization or |
   |                   |                     |       | individual      |
   |                   |                     |       | responsible for |
   |                   |                     |       | contributing to |
   |                   |                     |       | the resource.   |
   | publisher         | dcterms:publisher   | 0-n   | The             |
   | (element)         |                     |       | organization or |
   |                   |                     |       | individual      |
   |                   |                     |       | responsible for |
   |                   |                     |       | publishing the  |
   |                   |                     |       | resource.       |
   | description       | dcterms:description | 0-n   | A description   |
   | (element)         |                     |       | of the          |
   |                   |                     |       | resource.       |
   | subject (element) | dcterms:subject     | 0-n   | The subject of  |
   |                   |                     |       | the resource.   |
   | source (element)  | dcterms:source      | 0-n   | Another         |
   |                   |                     |       | resource that   |
   |                   |                     |       | this resource   |
   |                   |                     |       | is derived      |
   |                   |                     |       | from.           |
   | extended-metadata | xsd:any             | 0-1   | Provides an     |
   | (element)         |                     |       | extension point |
   |                   |                     |       | for additional  |
   |                   |                     |       | information.    |
   +-------------------+---------------------+-------+-----------------+

                  Table 8: lifecycleEventType Properties






Booth & Scarfone        Expires October 27, 2013               [Page 20]

Internet-Draft          Vulnerability Data Model              April 2013


7.2.1.5.  targetedTextType

   targetedTextType provides textual information about the
   vulnerability.

   +---------------+---------------------------+-------+---------------+
   | Name          | Type                      | Count | Definition    |
   +---------------+---------------------------+-------+---------------+
   | intended-uses | textTargetInformationType | 0-n   | Specifies the |
   | (element)     |                           |       | potential     |
   |               |                           |       | target and    |
   |               |                           |       | use case      |
   |               |                           |       | combinations  |
   |               |                           |       | where this    |
   |               |                           |       | text may be   |
   |               |                           |       | appropriate.  |
   |               |                           |       | See           |
   |               |                           |       | Section 8.2   |
   |               |                           |       | for more      |
   |               |                           |       | information.  |
   | text          | localeTextType            | 1-n   | Contains      |
   | (element)     |                           |       | texts (such   |
   |               |                           |       | as different  |
   |               |                           |       | texts for     |
   |               |                           |       | different     |
   |               |                           |       | audiences).   |
   +---------------+---------------------------+-------+---------------+

                   Table 9: targetedTextType Properties

7.2.1.5.1.  textTargetInformationType

   textTargetInformationType provides a mechanism to specify the
   intended audiences and uses of an element.

   +--------------+------------+-------+-------------------------------+
   | Name         | Type       | Count | Definition                    |
   +--------------+------------+-------+-------------------------------+
   | content-type | xsd:anyURI | 0-n   | A controlled vocabulary that  |
   | (attribute)  |            |       | allows the specification of   |
   |              |            |       | the type of content. See      |
   |              |            |       | Table 50 for more             |
   |              |            |       | information.                  |
   +--------------+------------+-------+-------------------------------+

              Table 10: textTargetInformationType Properties





Booth & Scarfone        Expires October 27, 2013               [Page 21]

Internet-Draft          Vulnerability Data Model              April 2013


7.2.1.5.2.  localeTextType

   The localeTextType defines a string based element that allows the
   specification of a language.  This type allows the xml:lang attribute
   to associate a specific language with an element's string content.
   Extends xsd:string.

   +-----------------+----------+-------+------------------------------+
   | Name            | Type     | Count | Definition                   |
   +-----------------+----------+-------+------------------------------+
   | lang            | xml:lang | 1     | The language of the text     |
   | (attribute)     |          |       | element.                     |
   +-----------------+----------+-------+------------------------------+

                    Table 11: localeTextType Properties

7.2.1.6.  vulnerabilityReferencesType

   vulnerabilityReferencesType contains information relating to
   references for the vulnerability.

   +-----------+----------------------------+-------+------------------+
   | Name      | Type                       | Count | Definition       |
   +-----------+----------------------------+-------+------------------+
   | reference | vulnerabilityReferenceType | 1-n   | The reference    |
   | (element) |                            |       | source. This     |
   |           |                            |       | SHALL be either  |
   |           |                            |       | a URL or a       |
   |           |                            |       | document.        |
   +-----------+----------------------------+-------+------------------+

             Table 12: vulnerabilityReferencesType Properties

7.2.1.6.1.  vulnerabilityReferenceType

   vulnerabilityReferenceType provides reference information.  Extends
   referenceType.














Booth & Scarfone        Expires October 27, 2013               [Page 22]

Internet-Draft          Vulnerability Data Model              April 2013


   +----------------------+-----------------+-------+------------------+
   | Name                 | Type            | Count | Definition       |
   +----------------------+-----------------+-------+------------------+
   | deprecated           | xsd:boolean     | 0-1   | Indicates that   |
   | (attribute)          |                 |       | the reference    |
   |                      |                 |       | has been         |
   |                      |                 |       | deprecated.      |
   |                      |                 |       | Default value is |
   |                      |                 |       | "false".         |
   | type (attribute)     | xsd:anyURI      | 1     | A controlled     |
   |                      |                 |       | vocabulary that  |
   |                      |                 |       | identifies the   |
   |                      |                 |       | reference        |
   |                      |                 |       | category for     |
   |                      |                 |       | this reference.  |
   |                      |                 |       | See Table 51 for |
   |                      |                 |       | more             |
   |                      |                 |       | information.     |
   | lang (attribute)     | xml:lang        | 0-1   | Identifies the   |
   |                      |                 |       | language of the  |
   |                      |                 |       | reference.       |
   |                      |                 |       | Default value is |
   |                      |                 |       | "en".            |
   | source (element)     | xsd:token       | 0-1   | The source that  |
   |                      |                 |       | provided the     |
   |                      |                 |       | reference (e.g., |
   |                      |                 |       | organization,    |
   |                      |                 |       | individual).     |
   | notes (element)      | localeNotesType | 0-1   | Additional notes |
   |                      |                 |       | regarding the    |
   |                      |                 |       | vulnerability or |
   |                      |                 |       | the reference    |
   |                      |                 |       | source.          |
   | extended-information | xsd:any         | 0-n   | Allows           |
   | (element)            |                 |       | additional       |
   |                      |                 |       | information to   |
   |                      |                 |       | be represented   |
   |                      |                 |       | as needed.       |
   +----------------------+-----------------+-------+------------------+

              Table 13: vulnerabilityReferenceType Properties

7.2.1.6.2.  referenceType

   The referenceType defines a container that may be used to hold one or
   more metadata core referenceItemType entities.





Booth & Scarfone        Expires October 27, 2013               [Page 23]

Internet-Draft          Vulnerability Data Model              April 2013


   +-----------+-------------------+-------+---------------------------+
   | Name      | Type              | Count | Definition                |
   +-----------+-------------------+-------+---------------------------+
   | item      | referenceItemType | 1-n   | A collection of one or    |
   | (element) |                   |       | more locale specific      |
   |           |                   |       | reference items           |
   +-----------+-------------------+-------+---------------------------+

                    Table 14: referenceType Properties

7.2.1.6.3.  referenceItemType

   The referenceItemType extends the localeTextType entity to include an
   optional URI reference (intended to be a URL).

   +-----------+-----------+-------+-----------------------------------+
   | Name      | Type      | Count | Definition                        |
   +-----------+-----------+-------+-----------------------------------+
   | ref-id    | xs:anyURI | 0-1   | A URI reference that points to a  |
   | (element) |           |       | resource. This SHOULD point to    |
   |           |           |       | extra descriptive material, the   |
   |           |           |       | supplier's web site, or the       |
   |           |           |       | platform documentation.           |
   | ##other   | xsd:any   | 0-n   | Provides an extension point for   |
   | (element) |           |       | additional information.           |
   +-----------+-----------+-------+-----------------------------------+

                  Table 15: referenceItemType Properties

7.2.1.6.4.  embeddedReferenceItemType

   embeddedReferenceItemType extends referenceItemType.

   +-----------+---------------------+-------+-------------------------+
   | Name      | Type                | Count | Definition              |
   +-----------+---------------------+-------+-------------------------+
   | text      | xhtmlLocaleTextType | 0-1   | Embedded reference      |
   | (element) |                     |       | material in text form.  |
   |           |                     |       | Either text or binary   |
   |           |                     |       | must be used, but not   |
   |           |                     |       | both                    |
   | binary    | xsd:base64Binary    | 0-1   | Embedded reference      |
   | (element) |                     |       | material in binary      |
   |           |                     |       | form. Either text or    |
   |           |                     |       | binary must be used,    |
   |           |                     |       | but not both            |
   +-----------+---------------------+-------+-------------------------+




Booth & Scarfone        Expires October 27, 2013               [Page 24]

Internet-Draft          Vulnerability Data Model              April 2013


              Table 16: embeddedReferenceItemType Properties

7.2.1.6.5.  externalReferenceItemType

   Type for a reference with an optional URI reference.  This would
   normally be used to point to extra descriptive material, or the
   supplier's web site, or the platform documentation.  It consists of a
   piece of text (intended to be human-readable) and a URI (intended to
   be a URL, and point to a real resource).

   +-------------+------------+-------+--------------------------------+
   | Name        | Type       | Count | Definition                     |
   +-------------+------------+-------+--------------------------------+
   | href        | xsd:anyURI | 1     | Reference pointing to extra    |
   | (attribute) |            |       | descriptive material, or the   |
   |             |            |       | supplier's web site, or the    |
   |             |            |       | platform documentation.        |
   +-------------+------------+-------+--------------------------------+

              Table 17: externalReferenceItemType Properties

7.2.1.6.6.  localeNotesType

   The localeNotesType defines a container that may contain one or more
   metadata core localeTextType elements.  It is intended to provide a
   location for additional information to provide about an entity.  This
   type defines an element that consists of one or more child note
   elements.  It is assumed that each of these note elements is
   representative of the same language as defined by its parent.

   +---------------+----------------+-------+--------------------------+
   | Name          | Type           | Count | Definition               |
   +---------------+----------------+-------+--------------------------+
   | note          | localeTextType | 1-n   | A note in a given        |
   | (element)     |                |       | language.                |
   +---------------+----------------+-------+--------------------------+

                   Table 18: localeNotesType Properties

7.2.1.7.  vulnerableSoftwareType

   vulnerableSoftwareType identifies the software versions that have
   this vulnerability.








Booth & Scarfone        Expires October 27, 2013               [Page 25]

Internet-Draft          Vulnerability Data Model              April 2013


   +------------+----------------------+-------+-----------------------+
   | Name       | Type                 | Count | Definition            |
   +------------+----------------------+-------+-----------------------+
   | product    | cpe-lang:namePattern | 1-n   | The CPE name of the   |
   | (element)  |                      |       | vulnerable software.  |
   +------------+----------------------+-------+-----------------------+

                Table 19: vulnerableSoftwareType Properties

7.2.1.8.  vulnerableConfigurationType

   vulnerableConfigurationType is a CPE language construct that
   identifies the conditions under which the vulnerability exists.

   +-------------------+-------------------------+-------+-------------+
   | Name              | Type                    | Count | Definition  |
   +-------------------+-------------------------+-------+-------------+
   | id (attribute)    | xsd:anyURI              | 1     | The id for  |
   |                   |                         |       | the         |
   |                   |                         |       | vulnerable  |
   |                   |                         |       | configurati |
   |                   |                         |       | on.         |
   | platform-configur | cpe-lang:platform-confi | 1     | The         |
   | ation (element)   | guration                |       | products    |
   |                   |                         |       | that        |
   |                   |                         |       | collectivel |
   |                   |                         |       | y           |
   |                   |                         |       | characteriz |
   |                   |                         |       | e a         |
   |                   |                         |       | particular  |
   |                   |                         |       | IT platform |
   |                   |                         |       | type.       |
   | assessment-check  | assessmentMethodType    | 0-n   | An optional |
   | (element)         |                         |       | list of     |
   |                   |                         |       | equivalent  |
   |                   |                         |       | assessment  |
   |                   |                         |       | methods     |
   |                   |                         |       | that        |
   |                   |                         |       | specify     |
   |                   |                         |       | additional  |
   |                   |                         |       | system      |
   |                   |                         |       | state that  |
   |                   |                         |       | must be     |
   |                   |                         |       | present for |
   |                   |                         |       | the         |
   |                   |                         |       | vulnerabili |
   |                   |                         |       | ty to       |
   |                   |                         |       | exist.      |



Booth & Scarfone        Expires October 27, 2013               [Page 26]

Internet-Draft          Vulnerability Data Model              April 2013


   | other (element)   | xsd:any                 | 0-n   | Provides an |
   |                   |                         |       | extension   |
   |                   |                         |       | point for   |
   |                   |                         |       | additional  |
   |                   |                         |       | information |
   |                   |                         |       | .           |
   +-------------------+-------------------------+-------+-------------+

             Table 20: vulnerableConfigurationType Properties

7.2.1.8.1.  assessmentMethodType

   The assessmentMethodType denotes a scanner and required configuration
   that is capable of detecting the referenced vulnerability.  It may
   also be an OVAL definition and omit scanner name.  It identifies a
   tool and any associated information about the tool, such as signature
   versions, that indicate the tool is capable or properly detecting
   and/or remediating the vulnerability or misconfiguration.

   +------------------+---------------------+-------+------------------+
   | Name             | Type                | Count | Definition       |
   +------------------+---------------------+-------+------------------+
   | assessment-check | checkReferenceType  | 1     | Identifies a     |
   | (element)        |                     |       | check that can   |
   |                  |                     |       | be used to       |
   |                  |                     |       | detect the       |
   |                  |                     |       | vulnerability or |
   |                  |                     |       | misconfiguration |
   | assessment-engin | cpe-lang:namePatter | 0-n   | The CPE name of  |
   | e (element)      | n                   |       | the scanning     |
   |                  |                     |       | tool. The CPE    |
   |                  |                     |       | name can be used |
   |                  |                     |       | for a CPE from   |
   |                  |                     |       | the NVD. The CPE |
   |                  |                     |       | title attribute  |
   |                  |                     |       | can be used for  |
   |                  |                     |       | internal naming  |
   |                  |                     |       | conventions (or  |
   |                  |                     |       | both, if         |
   |                  |                     |       | possible).       |
   +------------------+---------------------+-------+------------------+

                 Table 21: assessmentMethodType Properties








Booth & Scarfone        Expires October 27, 2013               [Page 27]

Internet-Draft          Vulnerability Data Model              April 2013


7.2.1.8.2.  checkReferenceType

   The checkReferenceType defines a method to represent a checking
   system and check id to identify a method of detecting the presence of
   the vulnerability on an asset.  Extends checkSearchType to add an
   external file reference, which could be used to point to the file in
   which the content test identifier is defined.

   +-------------+------------+-------+--------------------------------+
   | Name        | Type       | Count | Definition                     |
   +-------------+------------+-------+--------------------------------+
   | href        | xsd:anyURI | 1     | Identifies the file in which   |
   | (attribute) |            |       | the check exists               |
   +-------------+------------+-------+--------------------------------+

                  Table 22: checkReferenceType Properties

7.2.1.8.3.  checkSearchType

   The checkSearchType defines a method to represent a searchable check
   identifier that can be used to locate a check in a repository.  It
   identifies the test id and checking system used.

   +-------------+------------+-------+--------------------------------+
   | Name        | Type       | Count | Definition                     |
   +-------------+------------+-------+--------------------------------+
   | system      | xsd:anyURI | 1     | URI for a checking system.     |
   | (attribute) |            |       | SHOULD be the URI for a        |
   |             |            |       | particular version of OVAL or  |
   |             |            |       | a related system testing       |
   |             |            |       | language.                      |
   | name        | xsd:token  | 0-1   | A test identifier. MUST be an  |
   | (attribute) |            |       | identifier of a test written   |
   |             |            |       | in the language specified by   |
   |             |            |       | the system attribute.          |
   +-------------+------------+-------+--------------------------------+

                   Table 23: checkSearchType Properties

7.2.1.9.  vulnerabilityAnalysisType

   vulnerabilityAnalysisType









Booth & Scarfone        Expires October 27, 2013               [Page 28]

Internet-Draft          Vulnerability Data Model              April 2013


   +-------------------+---------------------+------+------------------+
   | Name              | Type                | Coun | Definition       |
   |                   |                     | t    |                  |
   +-------------------+---------------------+------+------------------+
   | id (attribute)    | xsd:anyURI          | 1    | The ID for the   |
   |                   |                     |      | attack method.   |
   | vulnerable-config | internalReferenceTy | 0-n  | A reference to   |
   | uration-ref       | pe                  |      | the              |
   | (element)         |                     |      | vulnerable-confi |
   |                   |                     |      | guration         |
   |                   |                     |      | element(s) that  |
   |                   |                     |      | can be exploited |
   |                   |                     |      | through this     |
   |                   |                     |      | particular       |
   |                   |                     |      | attack method.   |
   | impact (element)  | cvss2ImpactType     | 0-1  | Provides         |
   |                   |                     |      | information      |
   |                   |                     |      | about the        |
   |                   |                     |      | severity of the  |
   |                   |                     |      | vulnerability.   |
   | characteristic    | vulnerabilityCharac | 0-n  | Identifies       |
   | (element)         | teristicType        |      | characteristics  |
   |                   |                     |      | of the           |
   |                   |                     |      | vulnerability.   |
   | ##other (element) | xsd:any             | 0-n  | Provides an      |
   |                   |                     |      | extension point  |
   +-------------------+---------------------+------+------------------+

              Table 24: vulnerabilityAnalysisType Properties

7.2.1.9.1.  internalReferenceType

   +--------------+------------+-------+-------------------------------+
   | Name         | Type       | Count | Definition                    |
   +--------------+------------+-------+-------------------------------+
   | id-ref       | xsd:anyURI | 0-1   | A reference to a              |
   | (attribute)  |            |       | vulnerable-configuration      |
   |              |            |       | element                       |
   +--------------+------------+-------+-------------------------------+

                Table 25: internalReferenceType Properties

7.2.1.9.2.  cvss2ImpactType

   cvss2ImpactType is an extension type that includes CVSS v2 scoring
   information.  Extends impactType.





Booth & Scarfone        Expires October 27, 2013               [Page 29]

Internet-Draft          Vulnerability Data Model              April 2013


   +---------------+-----------------------+-------+-------------------+
   | Name          | Type                  | Count | Definition        |
   +---------------+-----------------------+-------+-------------------+
   | cvss2-metrics | cvssv2:cvssImpactType | 1     | The CVSS v2 score |
   | (element)     |                       |       | metrics for the   |
   |               |                       |       | vulnerability.    |
   +---------------+-----------------------+-------+-------------------+

                   Table 26: cvss2ImpactType Properties

7.2.1.9.3.  impactType

   impactType identifies the type of impact the vulnerability may have.

   +--------------+--------------------+-------+-----------------------+
   | Name         | Type               | Count | Definition            |
   +--------------+--------------------+-------+-----------------------+
   | inclusion    | lifecycleEventType | 0-1   | The date and time the |
   | (element)    |                    |       | impact information    |
   |              |                    |       | was first included in |
   |              |                    |       | this data feed.       |
   | modification | lifecycleEventType | 0-n   | The date and time the |
   | (element)    |                    |       | impact information    |
   |              |                    |       | was modified.         |
   |              |                    |       | Multiple instances    |
   |              |                    |       | may be used to serve  |
   |              |                    |       | as a change log.      |
   +--------------+--------------------+-------+-----------------------+

                      Table 27: impactType Properties

7.2.1.9.4.  vulnerabilityCharacteristicType

   Holds information relating to the characteristics for the
   vulnerability.

   +-------------+------------+-------+--------------------------------+
   | Name        | Type       | Count | Definition                     |
   +-------------+------------+-------+--------------------------------+
   | type        | xsd:anyURI | 0-1   | Type of vulnerability          |
   | (attribute) |            |       |                                |
   | ##other     | xsd:any    | 0-1   | Provides an extension point    |
   | (element)   |            |       | for additional information.    |
   +-------------+------------+-------+--------------------------------+

              Table 28: vulnerabilityAnalysisType Properties





Booth & Scarfone        Expires October 27, 2013               [Page 30]

Internet-Draft          Vulnerability Data Model              April 2013


7.2.2.  CVSS v2

   CVSS v2 defines various CVSS scoring components and representations
   that may be used in the vulnerability data model.

7.2.2.1.  cvssType

   The cvssType defines the representation of a complete CVSS v2 score,
   including all three scores: base, temporal and environmental

   +--------------------+-----------------------+-------+--------------+
   | Name               | Type                  | Count | Definition   |
   +--------------------+-----------------------+-------+--------------+
   | base_metrics       | baseMetricsType       | 0-n   | The base     |
   | (element)          |                       |       | CVSS score   |
   | environmental_metr | environmentalMetricsT | 0-n   | The          |
   | ics (element)      | ype                   |       | environmenta |
   |                    |                       |       | l CVSS score |
   | temporal_metrics   | temporalMetricsType   | 0-n   | The temporal |
   | (element)          |                       |       | CVSS score   |
   +--------------------+-----------------------+-------+--------------+

                       Table 29: cvssType Properties

7.2.2.2.  cvssImpactType

   The cvssImpactType defines a CVSS v2 score that requires at least a
   base score component, since the other score types cannot be
   calculated accurately without one.  Places restrictions on cvssType.

   +--------------------+-----------------------+-------+--------------+
   | Name               | Type                  | Count | Definition   |
   +--------------------+-----------------------+-------+--------------+
   | base_metrics       | baseMetricsType       | 1     | The base     |
   | (element)          |                       |       | CVSS score   |
   | environmental_metr | environmentalMetricsT | 0-1   | The          |
   | ics (element)      | ype                   |       | environmenta |
   |                    |                       |       | l CVSS score |
   | temporal_metrics   | temporalMetricsType   | 0-1   | The temporal |
   | (element)          |                       |       | CVSS score   |
   +--------------------+-----------------------+-------+--------------+

                    Table 30: cvssImpactType Properties








Booth & Scarfone        Expires October 27, 2013               [Page 31]

Internet-Draft          Vulnerability Data Model              April 2013


7.2.2.3.  cvssImpactBaseType

   The cvssImpactBaseType defines a CVSS v2 base score component.

   +---------------------+-----------------+-------+-------------------+
   | Name                | Type            | Count | Definition        |
   +---------------------+-----------------+-------+-------------------+
   | base_metrics        | baseMetricsType | 1     | A base score      |
   | (element)           |                 |       | component         |
   +---------------------+-----------------+-------+-------------------+

                  Table 31: cvssImpactBaseType Properties

7.2.2.4.  cvssImpactTemporalType

   The cvssImpactTemporalType defines a CVSS v2 temporal score
   component.  It extends cvssImpactBaseType.

   +-------------------+---------------------+-------+-----------------+
   | Name              | Type                | Count | Definition      |
   +-------------------+---------------------+-------+-----------------+
   | temporal_metrics  | temporalMetricsType | 0-1   | A temporal      |
   | (element)         |                     |       | score component |
   +-------------------+---------------------+-------+-----------------+

                Table 32: cvssImpactTemporalType Properties

7.2.2.5.  cvssImpactEnvironmentalType

   The cvssImpactEnvironmentalType is a derived type that defines a CVSS
   v2 environmental score component.  It extends cvssImpactTemporalType.

   +--------------------+-----------------------+-------+--------------+
   | Name               | Type                  | Count | Definition   |
   +--------------------+-----------------------+-------+--------------+
   | environmental_metr | environmentalMetricsT | 0-1   | An           |
   | ics (element)      | ype                   |       | environmenta |
   |                    |                       |       | l score      |
   |                    |                       |       | component    |
   +--------------------+-----------------------+-------+--------------+

             Table 33: cvssImpactEnvironmentalType Properties

7.2.2.6.  metricsType

   The metricsType defines an abstract type that presents the common
   attributes of all other metric types.




Booth & Scarfone        Expires October 27, 2013               [Page 32]

Internet-Draft          Vulnerability Data Model              April 2013


   +-----------------------+-------------+-------+---------------------+
   | Name                  | Type        | Count | Definition          |
   +-----------------------+-------------+-------+---------------------+
   | upgraded-from-version | xsd:decimal | 0-1   | Indicates the       |
   | (attribute)           |             |       | previous CVSS score |
   |                       |             |       | version that this   |
   |                       |             |       | metric was upgraded |
   |                       |             |       | from.               |
   +-----------------------+-------------+-------+---------------------+

                     Table 34: metricsType Properties

7.2.2.7.  baseMetricsType

   The baseMetricsType defines a derived metricsType that represents a
   base CVSS v2 score component.  Extends metricsType.

   +-------------------+------------------+-------+--------------------+
   | Name              | Type             | Count | Definition         |
   +-------------------+------------------+-------+--------------------+
   | score (element)   | zeroToTenDecimal | 0-1   | Base severity      |
   |                   | Type             |       | score assigned to  |
   |                   |                  |       | a vulnerability by |
   |                   |                  |       | a source           |
   | exploit-subscore  | zeroToTenDecimal | 0-1   | Base exploit       |
   | (element)         | Type             |       | sub-score assigned |
   |                   |                  |       | to a vulnerability |
   |                   |                  |       | by a source        |
   | impact-subscore   | zeroToTenDecimal | 0-1   | Base impact        |
   | (element)         | Type             |       | sub-score assigned |
   |                   |                  |       | to a vulnerability |
   |                   |                  |       | by a source        |
   | access-vector     | accessVectorType | 0-1   | Access vector      |
   | (element)         |                  |       | metric value for a |
   |                   |                  |       | base score         |
   | access-complexity | accessComplexity | 0-1   | Access complexity  |
   | (element)         | Type             |       | metric value for a |
   |                   |                  |       | base score         |
   | authentication    | authenticationTy | 0-1   | Authentication     |
   | (element)         | pe               |       | metric value for a |
   |                   |                  |       | base score         |
   | confidentiality-i | ciaType          | 0-1   | Confidentiality    |
   | mpact (element)   |                  |       | impact metric      |
   |                   |                  |       | value for a base   |
   |                   |                  |       | score              |
   | integrity-impact  | ciaType          | 0-1   | Integrity impact   |
   | (element)         |                  |       | metric value for a |
   |                   |                  |       | base score         |



Booth & Scarfone        Expires October 27, 2013               [Page 33]

Internet-Draft          Vulnerability Data Model              April 2013


   | availability-impa | ciaType          | 0-1   | Availability       |
   | ct (element)      |                  |       | impact metric      |
   |                   |                  |       | value for a base   |
   |                   |                  |       | score              |
   | source (element)  | xsd:anyURI       | 1     | Data source the    |
   |                   |                  |       | vector was         |
   |                   |                  |       | obtained from.     |
   |                   |                  |       | Example:           |
   |                   |                  |       | http://nvd.nist.go |
   |                   |                  |       | v or               |
   |                   |                  |       | com.symantec.deeps |
   |                   |                  |       | ight               |
   | generated-on-date | xsd:dateTime     | 0-1   | Timestamp for when |
   | time (element)    |                  |       | the base score was |
   |                   |                  |       | generated          |
   +-------------------+------------------+-------+--------------------+

                   Table 35: baseMetricsType Properties

7.2.2.7.1.  zeroToTenDecimalType

   The zeroToTenDecimalType defines a type that can be used to represent
   values for 0.0 to 10.0 including 1 decimal value, as used in CVSS
   scores.  It extends xsd:decimal with a restriction that values must
   be between 0.0 and 10.0

7.2.2.7.2.  accessVectorType

   The accessVectorType defines the representation of an access vector
   component in a CVSS score.  Extends: accessVectorEnumType

   +--------------+-------------+-------+------------------------------+
   | Name         | Type        | Count | Definition                   |
   +--------------+-------------+-------+------------------------------+
   | approximated | xsd:boolean | 0-1   | Indicates if the value has   |
   | (attribute)  |             |       | been approximated as the     |
   |              |             |       | result of an upgrade from a  |
   |              |             |       | previous CVSS version. The   |
   |              |             |       | default value is false.      |
   +--------------+-------------+-------+------------------------------+

                   Table 36: accessVectorType Properties

7.2.2.7.3.  accessVectorEnumType

   The accessVectorEnumType defines the allowed values for the access
   vector component of the base CVSS vector.




Booth & Scarfone        Expires October 27, 2013               [Page 34]

Internet-Draft          Vulnerability Data Model              April 2013


   Allowed enumeration values: LOCAL, ADJACENT_NETWORK, NETWORK

7.2.2.7.4.  accessComplexityType

   The accessComplexityType defines representation of an access
   complexity component in a CVSS score.  Extends:
   accessComplexityEnumType

   +--------------+-------------+-------+------------------------------+
   | Name         | Type        | Count | Definition                   |
   +--------------+-------------+-------+------------------------------+
   | approximated | xsd:boolean | 0-1   | Indicates if the value has   |
   | (attribute)  |             |       | been approximated as the     |
   |              |             |       | result of an upgrade from a  |
   |              |             |       | previous CVSS version. The   |
   |              |             |       | default value is false.      |
   +--------------+-------------+-------+------------------------------+

                 Table 37: accessComplexityType Properties

7.2.2.7.5.  accessComplexityEnumType

   The accessComplexityEnumType defines the allowed values for the
   access complexity component of the base CVSS vector.

   Allowed enumeration values: HIGH, MEDIUM, LOW

7.2.2.7.6.  authenticationType

   The authenticationType defines the representation of authentication
   values in a CVSS score.  Extends: authenticationEnumType

   +--------------+-------------+-------+------------------------------+
   | Name         | Type        | Count | Definition                   |
   +--------------+-------------+-------+------------------------------+
   | approximated | xsd:boolean | 0-1   | Indicates if the value has   |
   | (attribute)  |             |       | been approximated as the     |
   |              |             |       | result of an upgrade from a  |
   |              |             |       | previous CVSS version. The   |
   |              |             |       | default value is false.      |
   +--------------+-------------+-------+------------------------------+

                  Table 38: authenticationType Properties








Booth & Scarfone        Expires October 27, 2013               [Page 35]

Internet-Draft          Vulnerability Data Model              April 2013


7.2.2.7.7.  authenticationEnumType

   The authenticationEnumType defines the allowed values for the
   authentication component of the base CVSS vector.

   Allowed enumeration values: MULTIPLE_INSTANCES, SINGLE_INSTANCE, NONE

7.2.2.7.8.  ciaType

   The ciaType defines the representation of confidentiality, integrity
   and availability impact values in a CVSS score.  Extends: ciaEnumType

   +--------------+-------------+-------+------------------------------+
   | Name         | Type        | Count | Definition                   |
   +--------------+-------------+-------+------------------------------+
   | approximated | xsd:boolean | 0-1   | Indicates if the value has   |
   | (attribute)  |             |       | been approximated as the     |
   |              |             |       | result of an upgrade from a  |
   |              |             |       | previous CVSS version. The   |
   |              |             |       | default value is false.      |
   +--------------+-------------+-------+------------------------------+

                       Table 39: ciaType Properties

7.2.2.7.9.  ciaEnumType

   The ciaEnumType defines the allowed values for the confidentiality,
   integrity and availability components of the base CVSS vector.

   Allowed enumeration values: NONE, PARTIAL, COMPLETE

7.2.2.8.  environmentalMetricsType

   The environmentalMetricsType represents an environmental CVSS v2
   score component.  It extends metricsType.
















Booth & Scarfone        Expires October 27, 2013               [Page 36]

Internet-Draft          Vulnerability Data Model              April 2013


   +--------------------+---------------------+------+-----------------+
   | Name               | Type                | Coun | Definition      |
   |                    |                     | t    |                 |
   +--------------------+---------------------+------+-----------------+
   | score (element)    | zeroToTenDecimalTyp | 0-1  | Environmental   |
   |                    | e                   |      | severity score  |
   |                    |                     |      | assigned to a   |
   |                    |                     |      | vulnerability   |
   |                    |                     |      | by a source     |
   | collateral-damage- | collateralDamagePot | 0-1  | Collateral      |
   | potential          | entialType          |      | damage          |
   | (element)          |                     |      | potential       |
   |                    |                     |      | metric value    |
   |                    |                     |      | for an          |
   |                    |                     |      | environmental   |
   |                    |                     |      | score           |
   | target-distributio | targetDistributionT | 0-1  | Target          |
   | n (element)        | ype                 |      | distribution    |
   |                    |                     |      | metric value    |
   |                    |                     |      | for an          |
   |                    |                     |      | environmental   |
   |                    |                     |      | score           |
   | confidentiality-re | ciaRequirementType  | 0-1  | Confidentiality |
   | quirement          |                     |      | requirement     |
   | (element)          |                     |      | metric value    |
   |                    |                     |      | for an          |
   |                    |                     |      | environmental   |
   |                    |                     |      | score           |
   | integrity-requirem | ciaRequirementType  | 0-1  | Integrity       |
   | ent (element)      |                     |      | requirement     |
   |                    |                     |      | metric value    |
   |                    |                     |      | for an          |
   |                    |                     |      | environmental   |
   |                    |                     |      | score           |
   | availability-requi | ciaRequirementType  | 0-1  | Availability    |
   | rement (element)   |                     |      | requirement     |
   |                    |                     |      | metric value    |
   |                    |                     |      | for an          |
   |                    |                     |      | environmental   |
   |                    |                     |      | score           |
   | source (element)   | xsd:anyURI          | 1    | Data source the |
   |                    |                     |      | vector was      |
   |                    |                     |      | obtained from.  |
   |                    |                     |      | Example:        |
   |                    |                     |      | http://nvd.nist |
   |                    |                     |      | .gov or         |
   |                    |                     |      | com.symantec.de |
   |                    |                     |      | epsight         |



Booth & Scarfone        Expires October 27, 2013               [Page 37]

Internet-Draft          Vulnerability Data Model              April 2013


   | generated-on-datet | xsd:dateTime        | 0-1  | Timestamp for   |
   | ime (element)      |                     |      | when the        |
   |                    |                     |      | environmental   |
   |                    |                     |      | score was       |
   |                    |                     |      | generated       |
   +--------------------+---------------------+------+-----------------+

               Table 40: environmentalMetricsType Properties

7.2.2.8.1.  collateralDamagePotentialType

   The collateralDamagePotentialType defines the representation of
   collateral damage potential in a CVSS score.  Extends:
   collateralDamagePotentialEnumType

   +--------------+-------------+-------+------------------------------+
   | Name         | Type        | Count | Definition                   |
   +--------------+-------------+-------+------------------------------+
   | approximated | xsd:boolean | 0-1   | Indicates if the value has   |
   | (attribute)  |             |       | been approximated as the     |
   |              |             |       | result of an upgrade from a  |
   |              |             |       | previous CVSS version. The   |
   |              |             |       | default value is false.      |
   +--------------+-------------+-------+------------------------------+

            Table 41: collateralDamagePotentialType Properties

7.2.2.8.2.  collateralDamagePotentialEnumType

   The collateralDamagePotentialEnumType defines the allowed values for
   the collateral damage potential component of the environmental CVSS
   vector.

   Allowed enumeration values: NONE, LOW, LOW_MEDIUM, MEDIUM_HIGH, HIGH,
   NOT_DEFINED

7.2.2.8.3.  targetDistributionType

   The targetDistributionType defines the representation of a target
   distribution value in a CVSS score.  Extends:
   targetDistributionEnumType










Booth & Scarfone        Expires October 27, 2013               [Page 38]

Internet-Draft          Vulnerability Data Model              April 2013


   +--------------+-------------+-------+------------------------------+
   | Name         | Type        | Count | Definition                   |
   +--------------+-------------+-------+------------------------------+
   | approximated | xsd:boolean | 0-1   | Indicates if the value has   |
   | (attribute)  |             |       | been approximated as the     |
   |              |             |       | result of an upgrade from a  |
   |              |             |       | previous CVSS version. The   |
   |              |             |       | default value is false.      |
   +--------------+-------------+-------+------------------------------+

                Table 42: targetDistributionType Properties

7.2.2.8.4.  targetDistributionEnumType

   The targetDistributionEnumType defines the allowed values for the
   target distribution component of the environmental CVSS vector.

   Allowed enumeration values: NONE, LOW, MEDIUM, HIGH, NOT_DEFINED

7.2.2.8.5.  ciaRequirementType

   The ciaRequirementType defines the representation of a
   confidentiality, integrity, or availability requirement in a CVSS
   score.  Extends: ciaRequirementEnumType

   +--------------+-------------+-------+------------------------------+
   | Name         | Type        | Count | Definition                   |
   +--------------+-------------+-------+------------------------------+
   | approximated | xsd:boolean | 0-1   | Indicates if the value has   |
   | (attribute)  |             |       | been approximated as the     |
   |              |             |       | result of an upgrade from a  |
   |              |             |       | previous CVSS version. The   |
   |              |             |       | default value is false.      |
   +--------------+-------------+-------+------------------------------+

                  Table 43: ciaRequirementType Properties

7.2.2.8.6.  ciaRequirementEnumType

   The ciaRequirementEnumType defines the allowed values for the
   confidentiality, integrity and availability requirement components of
   the environmental CVSS vector.

   Allowed enumeration values: LOW, MEDIUM, HIGH, NOT_DEFINED







Booth & Scarfone        Expires October 27, 2013               [Page 39]

Internet-Draft          Vulnerability Data Model              April 2013


7.2.2.9.  temporalMetricsType

   The temporalMetricsType represents a temporal CVSS v2 score
   component.  It extends metricsType.

   +-------------------+------------------+------+---------------------+
   | Name              | Type             | Coun | Definition          |
   |                   |                  | t    |                     |
   +-------------------+------------------+------+---------------------+
   | score (element)   | zeroToTenDecimal | 0-1  | Temporal severity   |
   |                   | Type             |      | score assigned to a |
   |                   |                  |      | vulnerability by a  |
   |                   |                  |      | source. The         |
   |                   |                  |      | temporal score is   |
   |                   |                  |      | the temporal        |
   |                   |                  |      | multiplier times    |
   |                   |                  |      | the base score.     |
   | temporal-multipli | xsd:decimal      | 0-1  | The temporal        |
   | er (element)      |                  |      | multiplier, a       |
   |                   |                  |      | number between zero |
   |                   |                  |      | and one. Reference  |
   |                   |                  |      | the CVSS standard   |
   |                   |                  |      | for computation.    |
   | exploitability    | exploitabilityTy | 0-1  | Exploitability      |
   | (element)         | pe               |      | metric value for a  |
   |                   |                  |      | temporal score      |
   | remediation-level | remediationLevel | 0-1  | Remediation level   |
   | (element)         | Type             |      | metric value for a  |
   |                   |                  |      | temporal score      |
   | report-confidence | confidenceType   | 0-1  | Report confidence   |
   | (element)         |                  |      | metric value for a  |
   |                   |                  |      | temporal score      |
   | source (element)  | xsd:anyURI       | 1    | Data source the     |
   |                   |                  |      | vector was obtained |
   |                   |                  |      | from. Example:      |
   |                   |                  |      | http://nvd.nist.gov |
   |                   |                  |      | or                  |
   |                   |                  |      | com.symantec.deepsi |
   |                   |                  |      | ght                 |
   | generated-on-date | xsd:dateTime     | 1    | Timestamp for when  |
   | time (element)    |                  |      | the temporal score  |
   |                   |                  |      | was generated       |
   +-------------------+------------------+------+---------------------+

                 Table 44: temporalMetricsType Properties






Booth & Scarfone        Expires October 27, 2013               [Page 40]

Internet-Draft          Vulnerability Data Model              April 2013


7.2.2.9.1.  exploitabilityType

   The exploitabilityType defines the representation of exploitability
   values in a CVSS score.  Extends: exploitabilityEnumType

   +--------------+-------------+-------+------------------------------+
   | Name         | Type        | Count | Definition                   |
   +--------------+-------------+-------+------------------------------+
   | approximated | xsd:boolean | 0-1   | Indicates if the value has   |
   | (attribute)  |             |       | been approximated as the     |
   |              |             |       | result of an upgrade from a  |
   |              |             |       | previous CVSS version. The   |
   |              |             |       | default value is false.      |
   +--------------+-------------+-------+------------------------------+

                  Table 45: exploitabilityType Properties

7.2.2.9.2.  exploitabilityEnumType

   The exploitabilityEnumType defines the allowed values for the
   exploitability component of the temporal CVSS vector.

   Allowed enumeration values: UNPROVEN, PROOF_OF_CONCEPT, FUNCTIONAL,
   HIGH, NOT_DEFINED

7.2.2.9.3.  remediationLevelType

   The remediationLevelType defines the representation of remediation
   level in a CVSS score.  Extends: remediationLevelEnumType

   +--------------+-------------+-------+------------------------------+
   | Name         | Type        | Count | Definition                   |
   +--------------+-------------+-------+------------------------------+
   | approximated | xsd:boolean | 0-1   | Indicates if the value has   |
   | (attribute)  |             |       | been approximated as the     |
   |              |             |       | result of an upgrade from a  |
   |              |             |       | previous CVSS version. The   |
   |              |             |       | default value is false.      |
   +--------------+-------------+-------+------------------------------+

                 Table 46: remediationLevelType Properties

7.2.2.9.4.  remediationLevelEnumType

   The remediationLevelEnumType defines the allowed values for the
   remediation level component of the temporal CVSS vector.

   Allowed enumeration values: OFFICIAL_FIX, TEMPORARY_FIX, WORKAROUND,



Booth & Scarfone        Expires October 27, 2013               [Page 41]

Internet-Draft          Vulnerability Data Model              April 2013


   UNAVAILABLE, NOT_DEFINED

7.2.2.9.5.  confidenceType

   The confidenceType defines the representation of report confidence
   values in a CVSS score.  Extends: confidenceEnumType

   +--------------+-------------+-------+------------------------------+
   | Name         | Type        | Count | Definition                   |
   +--------------+-------------+-------+------------------------------+
   | approximated | xsd:boolean | 0-1   | Indicates if the value has   |
   | (attribute)  |             |       | been approximated as the     |
   |              |             |       | result of an upgrade from a  |
   |              |             |       | previous CVSS version. The   |
   |              |             |       | default value is false.      |
   +--------------+-------------+-------+------------------------------+

                    Table 47: confidenceType Properties

7.2.2.9.6.  confidenceEnumType

   The confidenceLevelEnumType defines the allowed values for the report
   confidence component of the temporal CVSS vector.

   Allowed enumeration values: UNCONFIRMED, UNCORROBORATED, CONFIRMED,
   NOT_DEFINED


8.  Controlled Vocabularies

   Several types in the Vulnerability Data Model utilize controlled
   vocabularies in an attempt to provide a balance between usability and
   flexibility.  Controlled vocabularies utilize a standard format for
   values of the form scap:authority:id, while allowing other entities
   to create additional entries.  The following elements utilize the
   vocabularies defined below.

8.1.  event-type

   The event-type controlled vocabulary is used to identify the type of
   the event that occurred.










Booth & Scarfone        Expires October 27, 2013               [Page 42]

Internet-Draft          Vulnerability Data Model              April 2013


   +--------------------------------+----------------------------------+
   | Vocabulary Entry               | Description                      |
   +--------------------------------+----------------------------------+
   | scap:gov.nist:Inclusion        | The date and time that the       |
   |                                | entity was first included in     |
   |                                | this data feed                   |
   | scap:gov.nist:Modification     | The date and time that the       |
   |                                | vulnerability record was last    |
   |                                | modified. Multiple instances of  |
   |                                | this can be used to serve as a   |
   |                                | change log                       |
   | scap:gov.nist:Deprecation      | Information used to indicate     |
   |                                | deprecation of a record. This    |
   |                                | element is only to be used if    |
   |                                | the record has been deprecated   |
   | scap:gov.nist:Supersession     | The date and time that the       |
   |                                | entity was first included in     |
   |                                | this data feed                   |
   | scap:gov.nist:Discovered       | The date that the vulnerability  |
   |                                | was first discovered             |
   | scap:gov.nist:Disclosure       | The date and time that the       |
   |                                | vulnerability was disclosed to   |
   |                                | the public                       |
   | scap:gov.nist:VendorDisclosure | The date and time that the       |
   |                                | software vendor was first        |
   |                                | notified of the vulnerability    |
   +--------------------------------+----------------------------------+

                Table 48: event-type Controlled Vocabulary

8.2.  intended-uses

   The intended-uses controlled vocabulary is used to indicate the type
   of information that is included in the text.  This information is
   provided as a "hint" to consumers on how they should present the
   information in various scenarios.















Booth & Scarfone        Expires October 27, 2013               [Page 43]

Internet-Draft          Vulnerability Data Model              April 2013


   +-------------------------------------+-----------------------------+
   | Vocabulary Entry                    | Description                 |
   +-------------------------------------+-----------------------------+
   | scap:gov.nist:general               | Provides general            |
   |                                     | information                 |
   | scap:gov.nist:summary               | A short summary of the      |
   |                                     | entity                      |
   | scap:gov.nist:description           | A formatted description of  |
   |                                     | the entity                  |
   | scap:gov.nist:mitigation            | A potential method to       |
   |                                     | mitigate the vulnerability  |
   | scap:gov,nist:mitigatingFactors     | Additional considerations   |
   |                                     | that effect the             |
   |                                     | vulnerability and may       |
   |                                     | reduce its impact in        |
   |                                     | certain situations          |
   | scap:gov.nist:scope                 | Identifies the potential    |
   |                                     | access that can be gained   |
   |                                     | through exploiting the      |
   |                                     | vulnerability               |
   | scap:gov.nist:affectedComponent     | Identifies the affected     |
   |                                     | components of the software  |
   | scap:gov.nist:cause                 | Explains the root cause of  |
   |                                     | the vulnerability           |
   | scap:gov.nist:additionalInformation | Provides additional         |
   |                                     | information                 |
   | scap:gov.nist:attackPossibilities   | Identifies what an attacker |
   |                                     | may do if they can exploit  |
   |                                     | the vulnerability           |
   | scap:gov.nist:exploitMethod         | Identifies how an attacker  |
   |                                     | may exploit the             |
   |                                     | vulnerability               |
   | scap:gov.nist:primaryTargets        | Identifies the types of     |
   |                                     | systems that are considered |
   |                                     | most at risk to             |
   |                                     | exploitation through this   |
   |                                     | vulnerability               |
   | scap:gov.nist:updateActions         | Explains what the update    |
   |                                     | will do                     |
   | scap:gov.nist:publicDisclosure      | Indicates information about |
   |                                     | known public disclosures    |
   | scap:gov.nist:exploitReports        | Indicates known instances   |
   |                                     | of the exploit being used   |
   |                                     | in the "wild"               |
   +-------------------------------------+-----------------------------+

               Table 49: intended-uses Controlled Vocabulary




Booth & Scarfone        Expires October 27, 2013               [Page 44]

Internet-Draft          Vulnerability Data Model              April 2013


8.3.  content-type

   The content-type controlled vocabulary is used to specify the type of
   content.

     +---------------------------+----------------------------------+
     | Vocabulary Entry          | Description                      |
     +---------------------------+----------------------------------+
     | scap:gov.nist:description | Provides descriptive information |
     | scap:gov.nist:technical   | Provides technical details       |
     +---------------------------+----------------------------------+

               Table 50: content-type Controlled Vocabulary

8.4.  reference-type

   The reference-type controlled vocabulary is used to specify the type
   of reference category.

   +--------------------------------------------+----------------------+
   | Vocabulary Entry                           | Description          |
   +--------------------------------------------+----------------------+
   | scap:gov.nist:Patch                        | The reference        |
   |                                            | includes a link to a |
   |                                            | software patch or    |
   |                                            | update instructions  |
   | scap:gov.nist:VendorAdvisory               | The reference is by  |
   |                                            | an authoritative     |
   |                                            | source for the       |
   |                                            | affected software    |
   | scap:gov.nist:ThirdPartyAdvisory           | The reference is by  |
   |                                            | a non-authoritative  |
   |                                            | source for the       |
   |                                            | affected software    |
   | scap:gov.nist:SignatureSource              | The reference        |
   |                                            | includes a link to   |
   |                                            | one or more          |
   |                                            | signatures for use   |
   |                                            | in a signature-based |
   |                                            | detection system     |
   | scap:gov.nist:MitigationProcedure          | The reference        |
   |                                            | includes information |
   |                                            | regarding mitigation |
   |                                            | techniques that may  |
   |                                            | help reduce exposure |
   |                                            | to the vulnerability |





Booth & Scarfone        Expires October 27, 2013               [Page 45]

Internet-Draft          Vulnerability Data Model              April 2013


   | scap:gov.nist:ToolConfigurationDescription | The reference        |
   |                                            | includes information |
   |                                            | regarding the        |
   |                                            | configuration of a   |
   |                                            | tool that can be     |
   |                                            | used to detect the   |
   |                                            | vulnerability        |
   | scap:gov.nist:AttackScenario               | The reference        |
   |                                            | provides a sample    |
   |                                            | attack scenario that |
   |                                            | demonstrates how the |
   |                                            | vulnerability may be |
   |                                            | exploited            |
   | scap:gov.nist:TechnicalDescription         | The reference        |
   |                                            | provides a technical |
   |                                            | description of the   |
   |                                            | vulnerability        |
   | scap:gov.nist:Other                        | The reference does   |
   |                                            | not fit into one of  |
   |                                            | the other categories |
   +--------------------------------------------+----------------------+

              Table 51: reference-type Controlled Vocabulary


9.  Acknowledgements

   The authors wish to thank their colleagues who reviewed drafts of
   this document and contributed to its technical content.  The authors
   would like to acknowledge David Waltermire of NIST, Joseph Wolfkiel
   of the Defense Information Systems Agency (DISA), Jim Ronayne of
   Varen Technologies, Matt Kerr of G2, Inc. and Shane Shaffer of G2,
   Inc. for their keen and insightful assistance throughout the
   development of this document.


10.  IANA Considerations

   This memo includes no request to IANA.


11.  Security Considerations

   As a data format, the Vulnerability Data Model does not have security
   concerns that are known at this time.  However, as a data format
   designed to be stored and transmitted between entities within an
   enterprise, the fact of the matter is that it SHOULD be used within a
   properly secured environment.  Over time, a significant amount of



Booth & Scarfone        Expires October 27, 2013               [Page 46]

Internet-Draft          Vulnerability Data Model              April 2013


   information valuable to attackers can be gleaned from Vulnerability
   Data Model information.  Therefore, it is recommended that use of
   Vulnerability Data Models be performed in environments providing
   communication security mechanisms supplying the properties of
   confidentiality, data integrity, and non-repudiation.


12.  Normative References

   [CPE]      National Institute of Standards and Technology, "NIST
              Interagency Reports 7695, 7696, 7697, and 7698, the Common
              Platform Enumeration", 2011,
              <http://scap.nist.gov/specifications/cpe/>.

   [CVSSv2]   National Institute of Standards and Technology, "NIST
              Interagency Report 7435, The Common Vulnerability Scoring
              System and Its Applicability to Federal Agency Systems",
              2007, <http://csrc.nist.gov/publications/
              PubsNISTIRs.html#NISTIR_7435>.

   [DCTERMS]  Dublin Core Metadata Initiative, "Dublin Core Metadata
              Terms", 2012, <http://purl.org/dc/terms/>.

   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
              Requirement Levels", BCP 14, RFC 2119, March 1997.

   [XML]      W3C, "W3C Recommendation Extensible Markup Language (XML)
              1.0 (Fifth Edition)", 2008,
              <http://www.w3.org/TR/REC-xml/>.

   [XSD]      W3C, "W3C Recommendation XML Schema", 2004,
              <http://www.w3.org/XML/Schema.html>.

   [XSI]      W3C, "W3C Recommendation XML Schema Instance", 2001,
              <http://www.w3.org/2001/XMLSchema-instance>.


Appendix A.  Use Cases

   This appendix documents some common use cases that were considered
   when developing VDM.

A.1.  OEM Vendor Statements

   It is common for OEM vendors to release information regarding
   vulnerabilities found in their products.  These releases often take
   the form of textual information about the vulnerability, in vendor
   specific formats.  Providing the information in a standardized format



Booth & Scarfone        Expires October 27, 2013               [Page 47]

Internet-Draft          Vulnerability Data Model              April 2013


   would allow those wishing to automatically gather and parse the
   vulnerability information to do so without developing custom tools
   for each vendor.

A.2.  Security Researchers

   Security researchers have interest in correlating and analyzing the
   data provided as part of the VDM for various purposes.  In order to
   support this use case the VDM should include the following
   information:

   o  A unique identifier for the vulnerability

   o  A list of additional identifiers for the vulnerability if
      applicable

   o  A list of the affected software and/or platforms

   o  An indication of the severity of the vulnerability, including any
      differences in severity based on various configurations

   o  References to support additional research

A.3.  System Design and Planning

   System Administrators, System Architects, and the authors of security
   guides all have an interest in knowing what vulnerabilities exist on
   a given platform.  The information provided by the vulnerability
   model can assist in determining:

   o  Which platforms to deploy

   o  What configurations of a platform to deploy

   o  What mitigating controls may be needed in a given environment

   o  What remediations are available for a vulnerability

   In order to support this use case vulnerability information should
   include:

   o  A unique identifier for a vulnerability

   o  An indication of when a vulnerability is applicable

   o  An indication of the severity of a vulnerability





Booth & Scarfone        Expires October 27, 2013               [Page 48]

Internet-Draft          Vulnerability Data Model              April 2013


   o  References to allow additional information about a vulnerability
      to be gathered

   o  References to existing remediations for the vulnerability

   o  Indicators of the freshness of the vulnerability information

A.4.  Assessment Content Authoring

   Some individuals or organizations have a need to create content to
   detect the presence of vulnerability.  Vulnerability detection may be
   done through the use of a common specification such as SCAP or
   through proprietary methods.  Information provided by the
   vulnerability model can assist in determining:

   o  Which platforms are affected by a vulnerability

   o  Where existing detection content may already exist

   o  The severity of the vulnerability

   In order to support the Assessment Content Authoring use case the
   vulnerability model should include:

   o  A unique identifier for the vulnerability

   o  An indication of what platforms are affected by the vulnerability

   o  An indication of the severity of the vulnerability

   o  Additional references to assist in researching the vulnerability

   o  References to any existing assessment content

   o  Indicators of the freshness of the vulnerability information

A.5.  Certification and Accreditation

   Certification and Accreditation teams are responsible for determining
   whether or not systems are allowed to remain on a given network.
   This is usually determined based on the priority of the function the
   system supports, assessment reports for the system, and
   organizational guidelines.  Information provided as part of the
   vulnerability model can assist in determining:

   o  The severity of a vulnerability





Booth & Scarfone        Expires October 27, 2013               [Page 49]

Internet-Draft          Vulnerability Data Model              April 2013


   o  The existence of exploits

   o  The existence of remediations

   o  The type of the vulnerability

   o  Indicators of the freshness of the vulnerability information


Appendix B.  VDM Examples

   This section shows some sample vulnerability information from various
   sources put into VDM format.






































Booth & Scarfone        Expires October 27, 2013               [Page 50]

Internet-Draft          Vulnerability Data Model              April 2013


B.1.  Sample 1

 <?xml version="1.0" encoding="UTF-8"?>
 <vulnerability xmlns="http://scap.nist.gov/schema/vulnerability/1.0"
 xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
 xmlns:dc="http://purl.org/dc/elements/1.1/"
 xmlns:dcterms="http://purl.org/dc/terms/"
 xsi:schemaLocation="http://scap.nist.gov/schema/vulnerability/1.0
 file:///vulnerability_0.9.2.xsd
 http://purl.org/dc/elements/1.1/
 http://dublincore.org/schemas/xmls/qdc/2008/02/11/dc.xsd
 http://purl.org/dc/terms/
 http://dublincore.org/schemas/xmls/qdc/2008/02/11/dcterms.xsd
 ">
 <vulnerability-id system="apple">OSX Lion v10.7.4 and Security
 Update 2012-002</vulnerability-id>
   <vulnerability-id-alias system="cve">CVE-2012-0652
   </vulnerability-id-alias>
   <record-metadata>
     <event>
       <dc:date></dc:date>
       <event-type>scap:gov.nist:publish</event-type>
     </event>
   </record-metadata>
   <targeted-text>
     <content-type>scap:gov.nist:description</content-type>
     <text xml:lang="en-US">An issue existed in the handling of network
     account logins. The login process recorded sensitive information in
     the system log, where other users of the system could read it. The
     sensitive information may persist in saved logs after installation
     of this update. This issue only affects systems running OS X Lion
     v10.7.3 with users of Legacy File Vault and/or networked home
     directories. See http://support.apple.com/kb/TS4272 for more
     information about how to securely remove any remaining
     records.</text>
   </targeted-text>
   <references>
     <reference type=""
     xmlns:meta="http://scap.nist.gov/schema/metadata-core/1.0">
       <meta:external-item href="http://support.apple.com/kb/HT5281">
       </meta:external-item>
     </reference>
   </references>
   <vulnerable-software-list>
     <product>cpe:/o:apple:mac_os_x:10.7.3</product>
   </vulnerable-software-list>
 </vulnerability>




Booth & Scarfone        Expires October 27, 2013               [Page 51]

Internet-Draft          Vulnerability Data Model              April 2013


B.2.  Sample 2

 <?xml version="1.0" encoding="UTF-8"?>
 <vulnerability xmlns="http://scap.nist.gov/schema/vulnerability/1.0"
 xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
 xmlns:dc="http://purl.org/dc/elements/1.1/"
 xmlns:dcterms="http://purl.org/dc/terms/"
 xsi:schemaLocation="http://scap.nist.gov/schema/vulnerability/1.0
 file:///vulnerability_0.9.2.xsd
 http://purl.org/dc/elements/1.1/
 http://dublincore.org/schemas/xmls/qdc/2008/02/11/dc.xsd
 http://purl.org/dc/terms/
 http://dublincore.org/schemas/xmls/qdc/2008/02/11/dcterms.xsd
 ">
   <vulnerability-id system="cve">CVE-2012-0652</vulnerability-id>
   <vulnerability-id-alias system="apple">OSX Lion v10.7.4 and Security
   Update 2012 002</vulnerability-id-alias>
   <targeted-text>
     <content-type>scap:gov.nist:summary</content-type>
     <text xml:lang="">Login Window in Apple Mac OS X 10.7.3, when
     Legacy File Vault or networked home directories are enabled, does
     not properly restrict what is written to the system log for network
     logins, which allows local users to obtain sensitive information by
     reading the log.</text>
   </targeted-text>
   <references>
     <reference type="gov.nist:Advisory" xml:lang="en-US"
     xmlns:meta="http://scap.nist.gov/schema/metadata-core/1.0">
       <meta:external-item href="http://support.apple.com/kb/HT5281">
       </meta:external-item>
       <source>Apple</source>
     </reference>
     <reference type="gov.nist:Advisory" xml:lang="en-US">
       <meta:external-item href="http://lists.apple.com/archives/
       security-announce/2012/May/msg00001.html"
       xmlns:meta="http://scap.nist.gov/schema/metadata-core/1.0">
       </meta:external-item>
       <source>Apple</source>
       <notes>
         <meta:note xml:lang=""
         xmlns:meta="http://scap.nist.gov/schema/metadata-core/1.0">
         APPLE-SA-2012-05-09-1</meta:note>
       </notes>
     </reference>
   </references>
   <vulnerable-software-list>
     <product>cpe:/o:apple:mac_os_x:10.7.3</product>
   </vulnerable-software-list>



Booth & Scarfone        Expires October 27, 2013               [Page 52]

Internet-Draft          Vulnerability Data Model              April 2013


   <impact>
     <cvss2-metrics>
       <cvssv2:base_metrics
       xmlns:cvssv2="http://scap.nist.gov/schema/cvss-v2/0.2">
         <cvssv2:score>4.9</cvssv2:score>
         <cvssv2:access-vector>LOCAL</cvssv2:access-vector>
         <cvssv2:access-complexity>LOW</cvssv2:access-complexity>
         <cvssv2:authentication>NONE</cvssv2:authentication>
         <cvssv2:confidentiality-impact>COMPLETE
         </cvssv2:confidentiality-impact>
         <cvssv2:integrity-impact>NONE</cvssv2:integrity-impact>
         <cvssv2:availability-impact>NONE</cvssv2:availability-impact>
         <cvssv2:source>NIST</cvssv2:source>
         <cvssv2:generated-on-datetime>2012 11 05T09:00:00Z
         </cvssv2:generated-on-datetime>
       </cvssv2:base_metrics>
     </cvss2-metrics>
   </impact>
   <cwe id="CWE-200"></cwe>
 </vulnerability>

B.3.  Sample 3

<?xml version="1.0" encoding="UTF-8"?>
<vulnerability xmlns="http://scap.nist.gov/schema/vulnerability/1.0"
  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
  xmlns:dc="http://purl.org/dc/elements/1.1/"
  xmlns:dcterms="http://purl.org/dc/terms/"
  xsi:schemaLocation="http://scap.nist.gov/schema/vulnerability/1.0
  file:///vulnerability_0.9.2.xsd
  http://purl.org/dc/elements/1.1/
  http://dublincore.org/schemas/xmls/qdc/2008/02/11/dc.xsd
  http://purl.org/dc/terms/
  http://dublincore.org/schemas/xmls/qdc/2008/02/11/dcterms.xsd
  ">
  <vulnerability-id system="CVE">CVE-2012-1848</vulnerability-id>
  <vulnerability-id-alias system="Microsoft Security Bulletin">
  MS12-034</vulnerability-id-alias>
  <targeted-text>
    <content-type>scap:gov.nist:summary</content-type>
    <text xml:lang="en-US">An elevation of privilege vulnerability
    exists in the Windows kernel-mode driver. An attacker who
    successfully exploited this vulnerability could run arbitrary code
    in kernel mode. An attacker could then install programs; view,
    change, or delete data; or create new accounts with full
    administrative rights.</text>
  </targeted-text>
  <targeted-text>



Booth & Scarfone        Expires October 27, 2013               [Page 53]

Internet-Draft          Vulnerability Data Model              April 2013


    <content-type>scap:gov.nist:mitigation</content-type>
    <text xml:lang="en-US">Microsoft has not identified any
    workarounds for this vulnerability.</text>
  </targeted-text>
  <targeted-text>
    <content-type>scap:gov.nist:mitigatingFactors</content-type>
    <text xml:lang="en-US">An attacker must have valid logon
    credentials and be able to log on locally to exploit this
    vulnerability.</text>
  </targeted-text>
  <targeted-text>
    <content-type>scap:gov.nist:scope</content-type>
    <text xml:lang="en-US">This is an elevation of privilege
    vulnerability.</text>
  </targeted-text>
  <targeted-text>
    <content-type>scap:gov.nist:affectedComponent</content-type>
    <text xml:lang="en-US">The component affected by this
    vulnerability is the Windows kernel-mode driver
    (win32k.sys).</text>
  </targeted-text>
  <targeted-text>
    <content-type>scap:gov.nist:cause</content-type>
    <text xml:lang="en-US">The vulnerability is caused when the
    Windows kernel-mode driver improperly handles input passed
    from user-mode functions.</text>
  </targeted-text>
  <targeted-text>
    <content-type>scap:gov.nist:additionalInformation</content-type>
    <text xml:lang="en-US">Win32k.sys is a kernel-mode device
    driver and is the kernel part of the Windows subsystem. It
    contains the window manager, which controls window displays;
    manages screen output; collects input from the keyboard,
    mouse, and other devices; and passes user messages to
    applications. It also contains the Graphics Device Interface (GDI),
    which is a library of functions for graphics output devices.
    Finally,  it serves as a wrapper for DirectX support that is
    implemented in another driver (dxgkrnl.sys).  The Windows
    kernel is the core of the operating system. It provides
    system-level services such as device management and memory
    management, allocates processor time to processes, and
    manages error handling.</text>
  </targeted-text>
  <targeted-text>
    <content-type>scap:gov.nist:attackPossibilities</content-type>
    <text xml:lang="en-US">An attacker who successfully exploited
    this vulnerability could run arbitrary code in the context of
    another process. If this process runs with administrator



Booth & Scarfone        Expires October 27, 2013               [Page 54]

Internet-Draft          Vulnerability Data Model              April 2013


    privileges, an attacker could then install programs; view,
    change, or delete data; or create new accounts with full
    user rights.</text>
  </targeted-text>
  <targeted-text>
    <content-type>scap:gov.nist:exploitMethod</content-type>
    <text xml:lang="en-US">To exploit this vulnerability, an attacker
    would first have to log on to the system. An attacker could then
    run a specially crafted application that could exploit the
    vulnerability and take complete control over the affected
    system.</text>
  </targeted-text>
  <targeted-text>
    <content-type>scap:gov.nist:primaryTargets</content-type>
    <text xml:lang="en-US">Workstations and terminal servers are
    primarily at risk. Servers could be at more risk if administrators
    allow users to log on to servers and to run programs. However,
    best practices strongly discourage allowing this.</text>
  </targeted-text>
  <targeted-text>
    <content-type>scap:gov.nist:updateActions</content-type>
    <text xml:lang="en-US">The update addresses the
    vulnerability by correcting the way that the Windows
    kernel-mode driver handles data passed from
    user-mode functions.</text>
  </targeted-text>
  <targeted-text>
    <content-type>scap:gov.nist:publicDisclosure</content-type>
    <text xml:lang="en-US">No. Microsoft received information
    about this vulnerability through coordinated vulnerability
    disclosure.</text>
  </targeted-text>
  <targeted-text>
    <content-type>scap:gov.nist:exploitReports</content-type>
    <text xml:lang="en-US">No. Microsoft had not received any
    information to indicate that this vulnerability had been publicly
    used to attack customers when this security bulletin was
    originally issued.</text>
  </targeted-text>
  <event>
    <dc:date></dc:date>
    <event-type>scap:gov.nist:inclusion</event-type>
  </event>
  <references>
    <reference type="gov.nist:Advisory"
    xmlns:meta="http://scap.nist.gov/schema/metadata-core/1.0">
      <meta:external-item
      href="http://technet.microsoft.com/security/bulletin/MS12-034"/>



Booth & Scarfone        Expires October 27, 2013               [Page 55]

Internet-Draft          Vulnerability Data Model              April 2013


    </reference>
  </references>
  <vulnerable-software-list>
    <product>cpe:/o:microsoft:windows_xp::sp3</product>
    <product>cpe:/o:microsoft:windows_xp:-:sp2:x64</product>
    <product>cpe:/o:microsoft:windows_server_2003::sp2</product>
    <product>cpe:/o:microsoft:windows_server_2003::sp2:x64</product>
    <product>cpe:/o:microsoft:windows_server_2003::sp2:itanium</product>
    <product>cpe:/o:microsoft:windows_vista::sp2</product>
    <product>cpe:/o:microsoft:windows_vista::sp2:x64</product>
    <product>cpe:/o:microsoft:windows_server_2008::sp2:x86</product>
    <product>cpe:/o:microsoft:windows_server_2008::sp2:x64</product>
    <product>cpe:/o:microsoft:windows_server_2008::sp2:itanium</product>
    <product>cpe:/o:microsoft:windows_7::sp1:x86</product>
    <product>cpe:/o:microsoft:windows_7::sp1:x64</product>
    <product>cpe:/o:microsoft:windows_server_2008:r2::x64</product>
    <product>cpe:/o:microsoft:windows_server_2008:r2:sp1:x64</product>
    <product>cpe:/o:microsoft:windows_server_2008:r2::itanium</product>
    <product>cpe:/o:microsoft:windows_server_2008:r2:sp1:itanium
    </product>
  </vulnerable-software-list>
  <impact>
    <cvss2-metrics
    xmlns:cvssv2="http://scap.nist.gov/schema/cvss-v2/0.2">
      <cvssv2:base_metrics>
        <cvssv2:score>9.3</cvssv2:score>
        <cvssv2:access-vector>NETWORK</cvssv2:access-vector>
        <cvssv2:access-complexity>MEDIUM</cvssv2:access-complexity>
        <cvssv2:authentication>NONE</cvssv2:authentication>
        <cvssv2:confidentiality-impact>COMPLETE
        </cvssv2:confidentiality-impact>
        <cvssv2:integrity-impact>COMPLETE
        </cvssv2:integrity-impact>
        <cvssv2:availability-impact>COMPLETE
        </cvssv2:availability-impact>
        <cvssv2:source>NIST</cvssv2:source>
      </cvssv2:base_metrics>
    </cvss2-metrics>
  </impact>
</vulnerability>

B.4.  Sample 4

<?xml version="1.0" encoding="UTF-8"?>
<vulnerability xmlns="http://scap.nist.gov/schema/vulnerability/1.0"
  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
  xmlns:dc="http://purl.org/dc/elements/1.1/"
  xmlns:dcterms="http://purl.org/dc/terms/"



Booth & Scarfone        Expires October 27, 2013               [Page 56]

Internet-Draft          Vulnerability Data Model              April 2013


  xsi:schemaLocation="http://scap.nist.gov/schema/vulnerability/1.0
    file:///vulnerability_0.9.2.xsd
    http://purl.org/dc/elements/1.1/
    http://dublincore.org/schemas/xmls/qdc/2008/02/11/dc.xsd
    http://purl.org/dc/terms/
    http://dublincore.org/schemas/xmls/qdc/2008/02/11/dcterms.xsd
    ">
  <vulnerability-id system="CVE">CVE-2012-1848</vulnerability-id>
  <targeted-text>
    <content-type>scap:gov.nist:summary</content-type>
    <content-type>scap:gov.nist:description</content-type>
    <text xml:lang="en-US">win32k.sys in the kernel-mode drivers in
    Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2,
    Windows Vista SP2, Windows Server 2008 SP2, R2, and R2 SP1,
    Windows 7 Gold and SP1, and Windows 8 Consumer Preview
    does not properly handle user-mode input passed to kernel
    mode, which allows local users to gain privileges via a crafted
    application, aka "Scrollbar Calculation Vulnerability."</text>
  </targeted-text>
  <event>
    <dc:date></dc:date>
    <event-type>scap:gov.nist:inclusion</event-type>
  </event>
  <references>
    <reference type="gov.nist:Advisory"
    xmlns:meta="http://scap.nist.gov/schema/metadata-core/1.0">
      <meta:external-item
      href="http://technet.microsoft.com/security/bulletin/MS12-034"/>
    </reference>
  </references>
  <vulnerable-software-list>
    <product>cpe:/o:microsoft:windows_xp::sp3</product>
    <product>cpe:/o:microsoft:windows_xp:-:sp2:x64</product>
    <product>cpe:/o:microsoft:windows_server_2003::sp2</product>
    <product>cpe:/o:microsoft:windows_server_2003::sp2:x64</product>
    <product>cpe:/o:microsoft:windows_server_2003::sp2:itanium</product>
    <product>cpe:/o:microsoft:windows_vista::sp2</product>
    <product>cpe:/o:microsoft:windows_vista::sp2:x64</product>
    <product>cpe:/o:microsoft:windows_server_2008::sp2:x86</product>
    <product>cpe:/o:microsoft:windows_server_2008::sp2:x64</product>
    <product>cpe:/o:microsoft:windows_server_2008::sp2:itanium</product>
    <product>cpe:/o:microsoft:windows_7::sp1:x86</product>
    <product>cpe:/o:microsoft:windows_7::sp1:x64</product>
    <product>cpe:/o:microsoft:windows_server_2008:r2::x64</product>
    <product>cpe:/o:microsoft:windows_server_2008:r2:sp1:x64</product>
    <product>cpe:/o:microsoft:windows_server_2008:r2::itanium</product>
    <product>cpe:/o:microsoft:windows_server_2008:r2:sp1:itanium
    </product>



Booth & Scarfone        Expires October 27, 2013               [Page 57]

Internet-Draft          Vulnerability Data Model              April 2013


  </vulnerable-software-list>
  <impact>
    <cvss2-metrics
    xmlns:cvssv2="http://scap.nist.gov/schema/cvss-v2/0.2">
      <cvssv2:base_metrics>
        <cvssv2:score>9.3</cvssv2:score>
        <cvssv2:access-vector>NETWORK</cvssv2:access-vector>
        <cvssv2:access-complexity>MEDIUM</cvssv2:access-complexity>
        <cvssv2:authentication>NONE</cvssv2:authentication>
        <cvssv2:confidentiality-impact>COMPLETE
        </cvssv2:confidentiality-impact>
        <cvssv2:integrity-impact>COMPLETE
        </cvssv2:integrity-impact>
        <cvssv2:availability-impact>COMPLETE
        </cvssv2:availability-impact>
        <cvssv2:source>NIST</cvssv2:source>
      </cvssv2:base_metrics>
    </cvss2-metrics>
  </impact>
</vulnerability>


Appendix C.  Vulnerability Data Model Schema

   This appendix contains the vulnerability data model schema.


<?xml version="1.0" encoding="UTF-8"?>
<xsd:schema xmlns="http://scap.nist.gov/schema/vulnerability/1.0"
  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
  xmlns:tns="http://scap.nist.gov/schema/vulnerability/1.0"
  xmlns:cvssv2="http://scap.nist.gov/schema/cvss-v2/1.0"
  xmlns:cpe-lang="http://cpe.mitre.org/language/2.0"
  xmlns:dc="http://purl.org/dc/elements/1.1/"
  xmlns:dcterms="http://purl.org/dc/terms/"
  xmlns:xhtml="http://www.w3.org/1999/xhtml"
  xmlns:xsd="http://www.w3.org/2001/XMLSchema"
  targetNamespace="http://scap.nist.gov/schema/vulnerability/1.0"
  elementFormDefault="qualified"
  attributeFormDefault="unqualified" version="0.9.3">
  <xsd:annotation>
    <xsd:documentation xml:lang="en"> The Vulnerability Data Model
    was created to facilitate communication of vulnerability information
    through a common representation of a core set of concepts. The
    Vulnerability Data Model was designed for use alone or in
    conjunction with other data models, specifications, or proprietary
    extensions.




Booth & Scarfone        Expires October 27, 2013               [Page 58]

Internet-Draft          Vulnerability Data Model              April 2013


    This schema was initially developed as part of the DoD NET-D
    data modeling efforts led by Lt. Col. Joe Wolfkiel and with
    participation by David Waltermire. The current revision is the
    result of the experience of using the schemas within the National
    Vulnerability Database (NVD) at the National Institute of Standards
    and Technology (NIST) in the form of a data feed and a web
    service. The following individuals also contributed ideas to the
    definition of this schema: Paul Cichonski formerly at NIST, and
    Jim Ronayne of Varen Technologies. The authors would also like
    to acknowledge the contributions and feedback provided by the
    security automation community.

  <version date="21 October 2012">0.9.3</version>
    </xsd:documentation>
    <xsd:appinfo>
      <schema>Vulnerability Data Model</schema>
      <author>David Waltermire, Harold Booth, Matthew Kerr</author>
      <version>0.9.3</version>
      <date>2012-10-21</date>
    </xsd:appinfo>
  </xsd:annotation>
  <xsd:import namespace="http://www.w3.org/XML/1998/namespace"
    schemaLocation="http://www.w3.org/2001/xml.xsd"/>
  <xsd:import namespace="http://scap.nist.gov/schema/cvss-v2/1.0"
    schemaLocation=
    "http://scap.nist.gov/schema/cvss-v2/1.0/cvss-v2_0.9.xsd"/>
  <xsd:import namespace="http://cpe.mitre.org/language/2.0"
    schemaLocation=
    "http://scap.nist.gov/schema/cpe/2.3/cpe-language_2.3.xsd"/>
  <xsd:import namespace="http://purl.org/dc/elements/1.1/"
    schemaLocation=
    "http://dublincore.org/schemas/xmls/qdc/2008/02/11/dc.xsd">
    <xsd:annotation>
      <xsd:documentation xml:lang="en-US">
      The Dublin Core Metadata Element Set, Version 1.1.
      </xsd:documentation>
    </xsd:annotation>
  </xsd:import>
  <xsd:import namespace="http://purl.org/dc/terms/"
  schemaLocation=
  "http://dublincore.org/schemas/xmls/qdc/2008/02/11/dcterms.xsd">
    <xsd:annotation>
      <xsd:documentation xml:lang="en-US">
      The DCMI Metadata Terms.
      </xsd:documentation>
    </xsd:annotation>
  </xsd:import>
  <!-- xhtml11.xsd -->



Booth & Scarfone        Expires October 27, 2013               [Page 59]

Internet-Draft          Vulnerability Data Model              April 2013


  <xsd:import namespace="http://www.w3.org/1999/xhtml"
  schemaLocation="http://scap.nist.gov/schema/xhtml/2010/xhtml11.xsd">
    <xsd:annotation>
      <xsd:documentation xml:lang="en-US">
      A simplified XHTML 1.1 modular schema driver that implements
      structural markup for embedding in XML data models.
      </xsd:documentation>
    </xsd:annotation>
  </xsd:import>
<!-- ================================================== -->
<!-- =====  Element Declarations  -->
<!-- ================================================== -->
  <xsd:element name="vulnerability" type="vulnerabilityType">
    <xsd:annotation>
      <xsd:documentation>The information regarding a single specific
      vulnerability</xsd:documentation>
    </xsd:annotation>
    <xsd:unique name="vulnerabilityIdUnique">
      <xsd:selector
      xpath="tns:vulnerability-id|tns:vulnerability-id-alias"/>
      <xsd:field xpath="@system"/>
      <xsd:field xpath="."/>
    </xsd:unique>
    <xsd:key name="VulnerableConfigurationIdKey">
      <xsd:selector xpath="tns:vulnerable-configuration"/>
      <xsd:field xpath="@id"/>
    </xsd:key>
    <xsd:keyref name="VulnerableConfigurationIdKeyRef"
    refer="tns:VulnerableConfigurationIdKey">
      <xsd:selector
      xpath="tns:attack-method/tns:vulnerable-configuration-ref"/>
      <xsd:field xpath="@id-ref"/>
    </xsd:keyref>
  </xsd:element>
  <!-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -->
  <!--  Vulnerability ID Type  -->
  <!-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -->
  <xsd:complexType name="vulnerabilityIdType">
    <xsd:annotation>
      <xsd:documentation>A type used to represent the ID of a
      vulnerability. The combination of system and id must be
      globally unique</xsd:documentation>
    </xsd:annotation>
    <xsd:simpleContent>
      <xsd:extension base="xsd:token">
        <xsd:annotation>
          <xsd:documentation>Represents the id given to the
          vulnerability record by the identified system provider.



Booth & Scarfone        Expires October 27, 2013               [Page 60]

Internet-Draft          Vulnerability Data Model              April 2013


          This id must be unique within a given system.
          </xsd:documentation>
        </xsd:annotation>
        <xsd:attribute name="system" type="xsd:string" use="required">
          <xsd:annotation>
            <xsd:documentation>Represents the identification
            system used to assign the associated id.</xsd:documentation>
          </xsd:annotation>
        </xsd:attribute>
      </xsd:extension>
    </xsd:simpleContent>
  </xsd:complexType>
  <xsd:simpleType name="vulnerabilityAliasEnumType">
    <xsd:annotation>
      <xsd:documentation>The enumeration of available
      relationships between vulnerabilities that exist in different
      naming systems.</xsd:documentation>
    </xsd:annotation>
    <xsd:restriction base="xsd:token">
      <xsd:enumeration value="CORRESPONDS"/>
      <xsd:enumeration value="INCLUDED_IN"/>
      <xsd:enumeration value="INCLUDES"/>
      <xsd:enumeration value="OVERLAPS"/>
    </xsd:restriction>
  </xsd:simpleType>
  <xsd:complexType name="vulnerabilityAliasType">
    <xsd:annotation>
      <xsd:documentation>A type used to represent the alias of
      a vulnerability.</xsd:documentation>
    </xsd:annotation>
    <xsd:simpleContent>
        <xsd:extension base="vulnerabilityIdType">
        <xsd:attribute name="relationship"
        type="vulnerabilityAliasEnumType" use="required">
          <xsd:annotation>
            <xsd:documentation>Represents the relationship of the
            vulnerabilty to another vulnerability.</xsd:documentation>
          </xsd:annotation>
        </xsd:attribute>
      </xsd:extension>
    </xsd:simpleContent>
  </xsd:complexType>
  <!-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -->
  <!--  vulnerability record status type                  -->
  <!-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -->
  <xsd:simpleType name="vulnerabilityRecordStatusEnumType">
    <xsd:annotation>
      <xsd:documentation>The enumeration of available



Booth & Scarfone        Expires October 27, 2013               [Page 61]

Internet-Draft          Vulnerability Data Model              April 2013


      vulnerability record statuses.</xsd:documentation>
    </xsd:annotation>
    <xsd:restriction base="xsd:token">
      <xsd:enumeration value="VALID"/>
      <xsd:enumeration value="INVALID"/>
      <xsd:enumeration value="MERGED"/>
      <xsd:enumeration value="SPLIT"/>
      <xsd:enumeration value="DUPLICATE"/>
    </xsd:restriction>
  </xsd:simpleType>
  <!-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -->
  <!--  Supersession Type  -->
  <!-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -->
  <xsd:complexType name="supersessionType">
    <xsd:annotation>
      <xsd:documentation>Provides a type to encapsulate
      supersession information.</xsd:documentation>
    </xsd:annotation>
    <xsd:sequence>
      <xsd:element name="supersedes" type="vulnerabilityIdType"
      minOccurs="0" maxOccurs="unbounded">
        <xsd:annotation>
          <xsd:documentation>If this record supersedes one or more
          entries, the identifier of the entry or entries that it
          supersedes.</xsd:documentation>
        </xsd:annotation>
      </xsd:element>
      <xsd:element name="supersedes_info" type="lifecycleEventType"
      minOccurs="0" maxOccurs="1">
        <xsd:annotation>
          <xsd:documentation>The date and time when the record
          superseded another entry.</xsd:documentation>
        </xsd:annotation>
      </xsd:element>
      <xsd:element name="superseded_by" type="vulnerabilityIdType"
      minOccurs="0" maxOccurs="unbounded">
        <xsd:annotation>
          <xsd:documentation>If this record has been superseded by one
          or more entries, the identifier of the entry or entries that
          this record has been superseded by.</xsd:documentation>
        </xsd:annotation>
      </xsd:element>
      <xsd:element name="superseded_info" type="lifecycleEventType"
      minOccurs="0" maxOccurs="1">
        <xsd:annotation>
          <xsd:documentation>The date and time when the record was
          superseded by another entry.</xsd:documentation>
        </xsd:annotation>



Booth & Scarfone        Expires October 27, 2013               [Page 62]

Internet-Draft          Vulnerability Data Model              April 2013


        </xsd:element>
    </xsd:sequence>
  </xsd:complexType>
  <xsd:complexType name="extendedLifecycleEventType">
    <xsd:annotation>
      <xsd:documentation>Identifies a significant event in the lifecycle
      of the entity.</xsd:documentation>
    </xsd:annotation>
    <xsd:complexContent>
      <xsd:extension base="lifecycleEventType">
        <xsd:sequence>
          <xsd:element name="event-type" type="xsd:anyURI"
          minOccurs="1" maxOccurs="unbounded">
            <xsd:annotation>
                <xsd:documentation>A controlled vocabulary that
                represents the lifecycle event type</xsd:documentation>
                <xsd:documentation>scap:gov.nist:Inclusion -
                The date and time that the entity was first included in
                this data feed.</xsd:documentation>
                <xsd:documentation>scap:gov.nist:Modification -
                The date and time that the vulnerability record was last
                modified. Multiple instances of this can be used to
                serve as a change log.</xsd:documentation>
                <xsd:documentation>scap:gov.nist:Deprecation -
                Information used to indicate deprecation of a record.
                This element is only to be used if the record has been
                deprecated.</xsd:documentation>
                <xsd:documentation>scap:gov.nist:Supersession -
                The date and time that the entity was first included in
                this data feed.</xsd:documentation>
                <xsd:documentation>scap:gov.nist:Discovered -
                The date that the vulnerability was first discovered.
                </xsd:documentation>
                <xsd:documentation>scap:gov.nist:Disclosure -
                The date and time that the vulnerability was disclosed
                to the public.</xsd:documentation>
                <xsd:documentation>scap:gov.nist:VendorDisclosure -
                The date and time that the software vendor was first
                notified of the vulnerability.</xsd:documentation>
            </xsd:annotation>
          </xsd:element>
        </xsd:sequence>
      </xsd:extension>
    </xsd:complexContent>
  </xsd:complexType>
  <xsd:complexType name="textTargetInformationType">
    <xsd:annotation>
      <xsd:documentation>Provides a mechanism to specify



Booth & Scarfone        Expires October 27, 2013               [Page 63]

Internet-Draft          Vulnerability Data Model              April 2013


      the intended audiences and uses of an element
      </xsd:documentation>
    </xsd:annotation>
    <xsd:sequence>
      <xsd:element name="content-type" type="xsd:anyURI"
      minOccurs="0" maxOccurs="unbounded">
        <xsd:annotation>
          <xsd:documentation>A controlled vocabulary that
          allows the specification of the type of content
          </xsd:documentation>
          <xsd:documentation>scap:gov.nist:description -
          Provides descriptive information</xsd:documentation>
          <xsd:documentation>scap:gov.nist:technical -
          Provides technical details</xsd:documentation>
        </xsd:annotation>
      </xsd:element>
    </xsd:sequence>
  </xsd:complexType>
  <xsd:complexType name="targetedTextType">
    <xsd:annotation>
      <xsd:documentation>Provides text and optional hints
      on how that text should be processed</xsd:documentation>
    </xsd:annotation>
    <xsd:sequence>
      <xsd:element name="intended-uses" type="textTargetInformationType"
      minOccurs="0" maxOccurs="unbounded">
        <xsd:annotation>
          <xsd:documentation>Specifies the potential target and use
          case combinations where this text may be appropriate
          </xsd:documentation>
        </xsd:annotation>
      </xsd:element>
      <xsd:element name="text" type="localeTextType"
      minOccurs="1" maxOccurs="unbounded">
        <xsd:annotation>
          <xsd:documentation>Contains text</xsd:documentation>
        </xsd:annotation>
      </xsd:element>
    </xsd:sequence>
  </xsd:complexType>
  <!-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -->
  <!--  Metadata Type  -->
  <!-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -->
  <xsd:complexType name="metadataType">
    <xsd:annotation>
      <xsd:documentation>A type used to represent the metadata
      associated with the vulnerability.</xsd:documentation>
    </xsd:annotation>



Booth & Scarfone        Expires October 27, 2013               [Page 64]

Internet-Draft          Vulnerability Data Model              April 2013


    <xsd:sequence>
      <xsd:element name="status"
      type="vulnerabilityRecordStatusEnumType"
      minOccurs="0" maxOccurs="1" default="VALID">
        <xsd:annotation>
          <xsd:documentation>Records the status of the vulnerability
          record within the scope of the primary namespace.
          </xsd:documentation>
        </xsd:annotation>
      </xsd:element>
      <xsd:element name="event" type="extendedLifecycleEventType"
      minOccurs="0" maxOccurs="unbounded">
        <xsd:annotation>
          <xsd:documentation>Records lifecycle event information for the
          entity</xsd:documentation>
        </xsd:annotation>
      </xsd:element>
      <xsd:element name="supersession" type="supersessionType"
      minOccurs="0" maxOccurs="1">
        <xsd:annotation>
          <xsd:documentation>Information used to indicate supersession
          relationships for a record. This element is only to be used
          if the record has been superseded or if the record has
          superseded another entry.</xsd:documentation>
        </xsd:annotation>
      </xsd:element>
    </xsd:sequence>
  </xsd:complexType>
  <!-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -->
  <!--  Vulnerable Software  -->
  <!-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -->
  <xsd:complexType name="vulnerableSoftwareType">
    <xsd:annotation>
      <xsd:documentation>Identifies the software versions that have
      this vulnerability.
      </xsd:documentation>
    </xsd:annotation>
    <xsd:sequence>
      <xsd:element name="product" type="cpe-lang:namePattern"
      maxOccurs="unbounded">
        <xsd:annotation>
          <xsd:documentation>The CPE name of the vulnerable software.
          </xsd:documentation>
        </xsd:annotation>
      </xsd:element>
    </xsd:sequence>
  </xsd:complexType>
  <!-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -->



Booth & Scarfone        Expires October 27, 2013               [Page 65]

Internet-Draft          Vulnerability Data Model              April 2013


  <!--  Vulnerability  -->
  <!-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -->
  <xsd:complexType name="vulnerabilityType">
    <xsd:annotation>
      <xsd:documentation>Holds all of the information about a
      given vulnerability.
      </xsd:documentation>
    </xsd:annotation>
    <xsd:sequence>
      <xsd:element name="vulnerability-id" type="vulnerabilityIdType"
      minOccurs="1" maxOccurs="1">
        <xsd:annotation>
          <xsd:documentation>The unique identifier for the
          vulnerability in regards to this vulnerability
          data source.</xsd:documentation>
        </xsd:annotation>
      </xsd:element>
      <xsd:element name="vulnerability-id-alias"
      type="vulnerabilityAliasType"
      minOccurs="0" maxOccurs="unbounded">
        <xsd:annotation>
          <xsd:documentation>Additional identifiers for the
          vulnerability that represent it in other data sources.
          An example would be a CVE identifier.</xsd:documentation>
        </xsd:annotation>
      </xsd:element>
      <xsd:element name="record-metadata" type="metadataType"
      minOccurs="0" maxOccurs="1">
        <xsd:annotation>
          <xsd:documentation>Additional metadata about the record.
          </xsd:documentation>
        </xsd:annotation>
      </xsd:element>
      <xsd:element name="text" type="targetedTextType" minOccurs="1"
      maxOccurs="unbounded">
        <xsd:annotation>
          <xsd:documentation>Provides textual information about the
          vulnerability. At least a block with the usecase
          gov.nist.scap:Summary must be provided.</xsd:documentation>
        </xsd:annotation>
      </xsd:element>
      <xsd:element name="references" type="vulnerabilityReferencesType"
      minOccurs="0">
        <xsd:annotation>
          <xsd:documentation>References to additional
          information about the vulnerability.</xsd:documentation>
        </xsd:annotation>
      </xsd:element>



Booth & Scarfone        Expires October 27, 2013               [Page 66]

Internet-Draft          Vulnerability Data Model              April 2013


      <xsd:element name="vulnerable-software-list"
      type="vulnerableSoftwareType" minOccurs="0" maxOccurs="1">
        <xsd:annotation>
          <xsd:documentation>A list of CPE names corresponding to
          the software versions that have this vulnerability.
          </xsd:documentation>
        </xsd:annotation>
      </xsd:element>
      <xsd:element name="vulnerable-configuration"
      type="vulnerableConfigurationType"
      minOccurs="0" maxOccurs="unbounded">
        <xsd:annotation>
          <xsd:documentation>A CPE Language construct that identifies
          the conditions under which the vulnerability exists. Only
          needed when the vulnerability is situationally exploitable.
          </xsd:documentation>
        </xsd:annotation>
      </xsd:element>
      <xsd:element name="analysis" type="vulnerabilityAnalysisType"
      minOccurs="0" maxOccurs="unbounded">
        <xsd:annotation>
          <xsd:documentation>Characteristics and impact of the
          vulnerability, optionally split based on configuration.
          </xsd:documentation>
        </xsd:annotation>
      </xsd:element>
      <xsd:any namespace="##other" processContents="lax"
      minOccurs="0" maxOccurs="unbounded">
        <xsd:annotation>
          <xsd:documentation>Extension point for additional
          information</xsd:documentation>
        </xsd:annotation>
      </xsd:any>
    </xsd:sequence>
  </xsd:complexType>

  <!-- Assessment Check -->
  <xsd:complexType name="checkSearchType">
    <xsd:attribute name="system" type="xsd:anyURI" use="required"/>
    <xsd:attribute name="name" type="xsd:token" use="optional"/>
  </xsd:complexType>
  <xsd:complexType name="checkReferenceType">
    <xsd:annotation>
      <xsd:documentation xml:lang="en">Data type for the check
      element, a checking system specification URI, string content,
      and an optional external file reference. The checking system
      specification should be the URI for a particular version of
      OVAL or a related system testing language, and the content



Booth & Scarfone        Expires October 27, 2013               [Page 67]

Internet-Draft          Vulnerability Data Model              April 2013


      will be an identifier of a test written in that language. The
      external file reference could be used to point to the file in
      which the content test identifier is defined.</xsd:documentation>
    </xsd:annotation>
    <xsd:complexContent>
      <xsd:extension base="checkSearchType">
        <xsd:attribute name="href" type="xsd:anyURI" use="required"/>
      </xsd:extension>
    </xsd:complexContent>
  </xsd:complexType>
  <xsd:element name="assessment-check" type="checkReferenceType"/>
  <xsd:complexType name="assessmentMethodType">
    <xsd:annotation>
      <xsd:documentation>Denotes a scanner and required configuration
      that is capable of detecting the referenced vulnerability.
      May also be an OVAL definition and omit scanner name.
      </xsd:documentation>
      <xsd:documentation>Identifies a tool and any associated
      information about the tool, such as signature versions, that
      indicate the tool is capable or properly detecting and/or
      remediating the vulnerability or misconfiguration
      </xsd:documentation>
    </xsd:annotation>
    <xsd:sequence>
      <xsd:element name="assessment-check" type="checkReferenceType">
        <xsd:annotation>
          <xsd:documentation>Identifies a check that can be used to
          detect the vulnerability or misconfiguration
          </xsd:documentation>
        </xsd:annotation>
      </xsd:element>
      <xsd:element name="assessment-engine" type="cpe-lang:namePattern"
      minOccurs="0" maxOccurs="unbounded">
        <xsd:annotation>
          <xsd:documentation>The CPE name of the scanning tool.
          The CPE name can be used for a CPE from the NVD.  The CPE
          title attribute can be used for internal naming conventions.
          (or both, if possible)</xsd:documentation>
        </xsd:annotation>
      </xsd:element>
    </xsd:sequence>
  </xsd:complexType>

  <!-- Vulnerable Configuration -->
  <xsd:complexType name="vulnerableConfigurationType">
    <xsd:sequence>
      <xsd:element ref="cpe-lang:platform-configuration">
        <xsd:annotation>



Booth & Scarfone        Expires October 27, 2013               [Page 68]

Internet-Draft          Vulnerability Data Model              April 2013


          <xsd:documentation>The product(s) that collectively
          characterize a particular IT platform type. See the CPE
          Language specification for additional information.
          </xsd:documentation>
        </xsd:annotation>
      </xsd:element>
      <xsd:element name="assessment-check" type="assessmentMethodType"
      minOccurs="0" maxOccurs="unbounded">
        <xsd:annotation>
          <xsd:documentation>An optional list of equivalent assessment
          methods that specify additional system state that must
          be present for the vulnerability to exist.</xsd:documentation>
        </xsd:annotation>
      </xsd:element>
      <xsd:any namespace="##other" processContents="lax"
      minOccurs="0" maxOccurs="unbounded"/>
    </xsd:sequence>
    <xsd:attribute name="id" type="xsd:anyURI" use="required">
      <xsd:annotation>
        <xsd:documentation>The id for the vulnerable configuration.
        </xsd:documentation>
      </xsd:annotation>
    </xsd:attribute>
  </xsd:complexType>
  <!-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -->
  <!--  Vulnerability_Reference  -->
  <!-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -->
  <xsd:complexType name="vulnerabilityReferenceType">
    <xsd:complexContent>
      <xsd:extension base="referenceType">
        <xsd:sequence>
          <xsd:element name="source" type="xsd:token"
          minOccurs="0" maxOccurs="1">
            <xsd:annotation>
              <xsd:documentation>The source that provided the
              reference (e.g., individual, organization).
              </xsd:documentation>
            </xsd:annotation>
          </xsd:element>
          <xsd:element name="notes" type="localeNotesType"
          minOccurs="0" maxOccurs="1">
            <xsd:annotation>
              <xsd:documentation>Notes regarding the vulnerability or
              the reference source.</xsd:documentation>
            </xsd:annotation>
          </xsd:element>
          <xsd:element name="extended-information"
          minOccurs="0" maxOccurs="unbounded">



Booth & Scarfone        Expires October 27, 2013               [Page 69]

Internet-Draft          Vulnerability Data Model              April 2013


            <xsd:annotation>
              <xsd:documentation>TODO: Provide guidance in the spec on
              how to use unbounded properly with multiple namespaces
              and element contents</xsd:documentation>
            </xsd:annotation>
            <xsd:complexType>
              <xsd:sequence>
                <xsd:any namespace="##other" processContents="lax"
                minOccurs="1" maxOccurs="unbounded"/>
              </xsd:sequence>
            </xsd:complexType>
          </xsd:element>
        </xsd:sequence>
        <xsd:attribute name="deprecated" type="xsd:boolean"
        use="optional" default="false">
          <xsd:annotation>
            <xsd:documentation>Whether or not this reference has been
            deprecated. Deprecated references should no longer be used.
            </xsd:documentation>
          </xsd:annotation>
        </xsd:attribute>
        <xsd:attribute name="type" type="xsd:anyURI" use="required">
          <xsd:annotation>
                <xsd:documentation> A controlled vocabulary that
                identifies the reference category for this reference.
                </xsd:documentation>
                <xsd:documentation>scap:gov.nist:Patch -
                The reference includes a link to a software patch
                or update nstructions</xsd:documentation>
                <xsd:documentation>scap:gov.nist:VendorAdvisory -
                The reference is by an authoritative source for the
                affected software</xsd:documentation>
                <xsd:documentation>scap:gov.nist:ThirdPartyAdvisory -
                The reference is by a non-authoritative source for
                the affected software</xsd:documentation>
                <xsd:documentation>scap:gov.nist:SignatureSource -
                The reference includes a link to one or more signatures
                for use in a signature-based detection system
                </xsd:documentation>
                <xsd:documentation>scap:gov.nist:MitigationProcedure -
                The reference includes information regarding mitigation
                techniques that may help reduce exposure to the
                vulnerability</xsd:documentation>
                <xsd:documentation>
                scap:gov.nist:ToolConfigurationDescription -
                The reference includes information regarding the
                configuration of a tool that can be used to detect
                the vulnerability</xsd:documentation>



Booth & Scarfone        Expires October 27, 2013               [Page 70]

Internet-Draft          Vulnerability Data Model              April 2013


                <xsd:documentation>scap:gov.nist:AttackScenario -
                The reference provides a sample attack scenario that
                demonstrates how the vulnerability may be exploited
                </xsd:documentation>
                <xsd:documentation>scap:gov.nist:TechnicalDescription -
                The reference provides a technical description of the
                vulnerability</xsd:documentation>
                <xsd:documentation>scap:gov.nist:Other -
                the reference does not fit into one of the other
                categories</xsd:documentation>
          </xsd:annotation>
        </xsd:attribute>
        <xsd:attribute ref="xml:lang" use="optional" default="en">
          <xsd:annotation>
            <xsd:documentation>The language used by the
            reference source.</xsd:documentation>
          </xsd:annotation>
        </xsd:attribute>
      </xsd:extension>
    </xsd:complexContent>
  </xsd:complexType>
  <xsd:complexType name="vulnerabilityReferencesType">
    <xsd:annotation>
      <xsd:documentation>Holds information relating to
      references for the vulnerability.</xsd:documentation>
    </xsd:annotation>
    <xsd:sequence>
      <xsd:element name="reference" type="vulnerabilityReferenceType"
      minOccurs="1" maxOccurs="unbounded">
        <xsd:annotation>
          <xsd:documentation>The reference source. This may be
          a URL or a document.</xsd:documentation>
        </xsd:annotation>
      </xsd:element>
    </xsd:sequence>
  </xsd:complexType>
  <xsd:complexType name="vulnerabilityAnalysisType">
    <xsd:sequence>
      <xsd:element name="vulnerable-configuration-ref"
      type="internalReferenceType" minOccurs="0" maxOccurs="unbounded">
        <xsd:annotation>
          <xsd:documentation>A reference to the vulnerable-configuration
          element(s) that can be exploited through this particular
          attack method.</xsd:documentation>
        </xsd:annotation>
      </xsd:element>
      <xsd:element name="impact" type="cvss2ImpactType"
      minOccurs="0" maxOccurs="1">



Booth & Scarfone        Expires October 27, 2013               [Page 71]

Internet-Draft          Vulnerability Data Model              April 2013


        <xsd:annotation>
          <xsd:documentation>Provides information about the
          severity of the vulnerability.</xsd:documentation>
        </xsd:annotation>
      </xsd:element>
      <xsd:element name="characteristic"
      type="vulnerabilityCharacteristicType" minOccurs="0"
      maxOccurs="unbounded">
        <xsd:annotation>
          <xsd:documentation>Identifies characteristics of the
          vulnerability.</xsd:documentation>
        </xsd:annotation>
      </xsd:element>
      <xsd:any namespace="##other" processContents="lax"
      minOccurs="0" maxOccurs="unbounded"/>
    </xsd:sequence>
    <xsd:attribute name="id" type="xsd:anyURI" use="required">
      <xsd:annotation>
        <xsd:documentation>The ID for the attack method.
        </xsd:documentation>
      </xsd:annotation>
    </xsd:attribute>
  </xsd:complexType>
  <xsd:complexType name="impactType">
    <xsd:sequence>
      <xsd:element name="inclusion" type="lifecycleEventType"
      minOccurs="0" maxOccurs="1">
        <xsd:annotation>
          <xsd:documentation>The date and time that the impact
          information was first included in this data feed.
          </xsd:documentation>
        </xsd:annotation>
      </xsd:element>
      <xsd:element name="modification" type="lifecycleEventType"
      minOccurs="0" maxOccurs="unbounded">
        <xsd:annotation>
          <xsd:documentation>The date and time the impact
          information was modified. Multiple instances of this
          can be used to serve as a change log.
          </xsd:documentation>
        </xsd:annotation>
      </xsd:element>
    </xsd:sequence>
  </xsd:complexType>
  <xsd:complexType name="cvss2ImpactType">
    <xsd:complexContent>
      <xsd:extension base="impactType">
        <xsd:sequence>



Booth & Scarfone        Expires October 27, 2013               [Page 72]

Internet-Draft          Vulnerability Data Model              April 2013


          <xsd:element name="cvss2-metrics"
          type="cvssv2:cvssImpactType"
          minOccurs="1" maxOccurs="1">
            <xsd:annotation>
              <xsd:documentation>The base and temporal metrics and
              scores for a vulnerability.</xsd:documentation>
            </xsd:annotation>
          </xsd:element>
        </xsd:sequence>
      </xsd:extension>
    </xsd:complexContent>
  </xsd:complexType>
  <xsd:complexType name="vulnerabilityCharacteristicType" mixed="true">
    <xsd:annotation>
      <xsd:documentation>Holds information relating to the
      characterisitics for the vulnerability.</xsd:documentation>
    </xsd:annotation>
    <xsd:sequence>
      <xsd:any namespace="##other" processContents="lax"
      minOccurs="0" maxOccurs="1"/>
    </xsd:sequence>
    <xsd:attribute name="type" type="xsd:anyURI"/>
  </xsd:complexType>
  <xsd:complexType name="internalReferenceType">
    <xsd:attribute name="id-ref" type="xsd:anyURI"/>
  </xsd:complexType>

  <!-- references type -->
  <xsd:complexType name="referenceItemType" abstract="true">
    <xsd:sequence>
      <xsd:element name="ref-id" type="xsd:anyURI" minOccurs="0">
        <xsd:annotation>
          <xsd:documentation>The identifier of the object being
          referenced.</xsd:documentation>
        </xsd:annotation>
      </xsd:element>
      <xsd:any namespace="##other" minOccurs="0"
      maxOccurs="unbounded" processContents="lax"></xsd:any>
    </xsd:sequence>
  </xsd:complexType>
  <xsd:element name="item" type="referenceItemType" abstract="true" />

  <xsd:complexType name="embeddedReferenceItemType">
    <xsd:complexContent>
      <xsd:extension base="referenceItemType">
        <xsd:choice>
          <xsd:element name="text" type="xhtmlLocaleTextType"/>
          <xsd:element name="binary" type="xsd:base64Binary"/>



Booth & Scarfone        Expires October 27, 2013               [Page 73]

Internet-Draft          Vulnerability Data Model              April 2013


        </xsd:choice>
      </xsd:extension>
    </xsd:complexContent>
  </xsd:complexType>
  <xsd:element name="embedded-item"
  type="embeddedReferenceItemType" substitutionGroup="item"/>

  <xsd:complexType name="externalReferenceItemType">
    <xsd:annotation>
      <xsd:documentation xml:lang="en-US">Type for a reference
      with an optional URI reference. This would normally
      be used to point to extra descriptive material, or the
      supplier's web site, or the platform documentation.
      It consists of a piece of text (intended to be human-
      readable) and a URI (intended to be a URL, and point
      to a real resource).</xsd:documentation>
    </xsd:annotation>
    <xsd:complexContent>
      <xsd:extension base="referenceItemType">
        <xsd:attribute name="href" type="xsd:anyURI" use="required"/>
      </xsd:extension>
    </xsd:complexContent>
  </xsd:complexType>
  <xsd:element name="external-item"
  type="externalReferenceItemType" substitutionGroup="item"/>

  <xsd:complexType name="referenceType">
    <xsd:sequence>
      <xsd:element ref="item" maxOccurs="unbounded">
        <xsd:annotation>
          <xsd:documentation xml:lang="en-US">
          A collection of one or more locale specific reference items.
          </xsd:documentation>
        </xsd:annotation>
      </xsd:element>
    </xsd:sequence>
  </xsd:complexType>

  <!-- text types -->
  <xsd:complexType name="xhtmlLocaleTextType">
    <xsd:complexContent>
      <xsd:extension base="xhtml:xhtml.body.type">
      </xsd:extension>
    </xsd:complexContent>
  </xsd:complexType>

  <xsd:complexType name="localeTextType">
    <xsd:annotation>



Booth & Scarfone        Expires October 27, 2013               [Page 74]

Internet-Draft          Vulnerability Data Model              April 2013


      <xsd:documentation xml:lang="en-US">This type
      allows the xml:lang attribute to associate a
      specific language with an element's string
      content.</xsd:documentation>
    </xsd:annotation>
    <xsd:simpleContent>
      <xsd:extension base="xsd:string">
        <xsd:attribute ref="xml:lang" use="required"/>
      </xsd:extension>
    </xsd:simpleContent>
  </xsd:complexType>

  <xsd:complexType name="localeNotesType">
    <xsd:annotation>
      <xsd:documentation xml:lang="en-US">This type
      defines an element that consists of one or
      more child note elements. It is assumed
      that each of these note elements are
      representative of the same language as
      defined by their parent.</xsd:documentation>
    </xsd:annotation>
    <xsd:sequence>
      <xsd:element name="note" type="localeTextType"
      maxOccurs="unbounded" />
    </xsd:sequence>
  </xsd:complexType>
  <xsd:element name="notes" type="localeNotesType">
    <xsd:unique name="uniqueNoteLocale">
      <xsd:selector xpath="note"/>
      <xsd:field xpath="@xml:lang"/>
    </xsd:unique>
  </xsd:element>
  <!-- metadata information -->
  <xsd:complexType name="lifecycleEventType">
    <xsd:sequence>
        <xsd:element ref="dcterms:identifier"
        minOccurs="0" maxOccurs="unbounded" />
        <xsd:element ref="dcterms:date"
        minOccurs="0" maxOccurs="unbounded" />
        <xsd:element ref="dcterms:creator"
        minOccurs="0" maxOccurs="unbounded" />
        <xsd:element ref="dcterms:contributor"
        minOccurs="0" maxOccurs="unbounded" />
        <xsd:element ref="dcterms:publisher"
        minOccurs="0" maxOccurs="unbounded" />
        <xsd:element ref="dcterms:description"
        minOccurs="0" maxOccurs="unbounded" />
        <xsd:element ref="dcterms:subject"



Booth & Scarfone        Expires October 27, 2013               [Page 75]

Internet-Draft          Vulnerability Data Model              April 2013


        minOccurs="0" maxOccurs="unbounded" />
        <xsd:element ref="dcterms:source"
        minOccurs="0" maxOccurs="unbounded" />
        <xsd:element name="extended-metadata" minOccurs="0">
        <xsd:complexType>
          <xsd:sequence>
            <xsd:any namespace="##any" processContents="lax"
            maxOccurs="unbounded"/>
          </xsd:sequence>
        </xsd:complexType>
      </xsd:element>
    </xsd:sequence>
  </xsd:complexType>
</xsd:schema>




Authors' Addresses

   Harold Booth
   National Institute of Standards and Technology
   100 Bureau Drive
   Gaithersburg, Maryland  20899
   USA

   Phone:
   Email: harold.booth@nist.gov


   Karen Scarfone
   Scarfone Cybersecurity
   13632 S. Springs Dr.
   Clifton, Virginia  20124
   USA

   Phone:
   Email: karen@scarfonecybersecurity.com













Booth & Scarfone        Expires October 27, 2013               [Page 76]