Following the last working-group meeting with the MISP core team, many questions were raised concerning the tags and taxonomies used in the vulnerability ecosystem, including the CVE Program, GCVE, and others.
The CVE Program defines some tags that can be included in the CVE record format. These appear to be documented at the following location:
This documentation already includes some states that are indeed used by certain GCVE GNAs, for example in this online service vulnerability:
The MISP project already provides a vulnerability taxonomy, available at:
https://misp-project.org/taxonomies.html#_vulnerability_4
Many questions have emerged around improving the tagging and labeling of vulnerability information. We opened a ticket to better understand the process within the CVE Program:
One of the key questions was the following: if we use MISP taxonomies or other taxonomies in the tags array field, how should they be prefixed to clearly indicate which namespace is in use? Additionally, how should software react to unknown or different tags?