| DISCLOSURE: I'm working on commercial tooling for this exact problem [1] > 1) What would your expectations be towards a software vendor in terms of what issues to "fix"? I would want the vendor to communicate their analysis for all CVEs, i.e. letting us know which are exploitable or not, and what kind of response they are planning, or any fixes released. There are efforts to standardize this workflow with Vulnerability Disclosure Reports (VDRs)[2] and Vulnerability Exploitability eXchange VEXs[3]. Both these use cases are covered by OWASP CycloneDx[4]. > 2) Is anyone aware of a security database & evaluation tool geared for vendors not for end-users? IMHO, there are not any good tools available that solve the complete workflow. We are certainly aiming to fix that with[1], but it will take some time. [1] https://sbom.observer [2] https://www.cisa.gov/resources-tools/resources/minimum-requi... [3] https://csrc.nist.gov/publications/detail/sp/800-161/rev-1/f... [4] https://cyclonedx.org/capabilities/vex/ |
Feel free to reach out to me via my e-mail from my profile if you're interested in Beta testers.