The National Institute of Standards and Technology's team that runs the National Vulnerabilities Database was awarded the 2021 InnovateIT Award: Security Innovation Leader.
Bob Byers is credited with leading a team that developed a method to better assess and understand vulnerabilities described within the National Vulnerability Database (NVD). The database, which is maintained by the Computer Security Division of NIST, is used daily by the U.S. Federal Government and hundreds of governments worldwide, Fortune 500 and commercial companies, private institutions, and critical infrastructure to detect and address known vulnerabilities. Mr. Byers, along with Christopher Turner and David Waltermire, accomplished their goal in a manner that supports a volume only achievable by automation and the introduction of emerging technologies, such as the increased use of artificial intelligence (AI) and machine learning (ML). The NVD Team set out to increase participation with and access to vulnerability data, remove subjective characteristics of reported vulnerabilities into a common and consistent taxonomy, develop a framework to support vulnerability tools development, and reduce the dependence upon human security analysts to analyze known vulnerabilities. The team took the approach of standardizing vulnerability terminology and format, while developing a framework to automate analysis. They developed a human machine-readable format of JSON for vulntological representations of vulnerabilities, enabling developers to use this information for customized applications. They also developed a GitHub available repository of schema specifications complete with examples and submission templates promoting the adoption of the new scheme for ontological representations. Finally, a comparative analysis solution was developed to uniquely identify and compare the submitted ontological representations validating submissions and subsequently adding them to the repository. The result is a method that improves the fidelity of vulnerability information, makes the participation of risk management easier and far more accessible, and provides a framework that supports both national and international security.