standard format for security vulnerability data

["Larry J. Hughes Jr." <larry@nwnet.net>]

There are clearly a growing number of IRTs, vendors, and even responsible
individuals who disseminate security vulnerability information via email
and the web. 

While this dissemination is of course a good thing, those on the receiving
end find that we have an increasingly difficult job in effectively
managing the growing mountain of information.  Specifically, trying to
collate and store it in order to do something useful with it later, such
as query it in an ad hoc manner using something better than grep, is a
tough job that's only getting harder with time. 

I believe that this core problem could be solved to everyone's benefit,
would the vulnerability announcement populace volunarily adopt a standard
format for dissemination.  This could a boon to all, by providing the
vital data in a way that is easily digested by import scripts tied to
problem tracking systems or relational databases or whatever.  I don't yet
know what the "standard format" would look like, but perhaps concensus
could be reached.  For now, think of the text as being tagged or marked up
in some fashion.

Beyond the basic concept, I haven't yet taken this very far, but have a
strong interest in doing so.  Unless the idea is shot down early, one
potential outcome is a draft RFC.  At this stage, I am looking for your:

* active encouragement -or- urging not to proceed
* ideas, insights, opinions
* recommendations - how to move forward, requirements, etc.

Thanks,

---
Larry J. Hughes Jr.    larry@nwnet.net     http://www.nwnet.net/~larry/