On today’s working call, we discussed the proposal to add an explicit relationship from an Indicator to a Vulnerability that would say that the Indicator ‘indicates’ a vulnerability.
The vote was as follows:
Yes – 3
No – 9
Abstain - 3
There was also some discussion about pushing this topic to STIX 2.2+, which is always possible for every object we don’t choose to add currently. Thus, the current consensus is to
NOT include an explicit relationship between indicator and vulnerability (knowing that you can always do it with a custom relationship or the generic relationship), and if necessary, this topic can be revisited in a future version of STIX.
We’re sending this to the list in order to let everyone know what was discussed and to give everyone time to comment or disagree. Unless there are objections, this property will NOT be added, and this issue
in github will be marked to reflect the decision.
Thanks,
Sarah Kelley
Senior Cyber Threat Analyst
Multi-State Information Sharing and Analysis Center (MS-ISAC)
31 Tech Valley Drive
East Greenbush, NY 12061
sarah.kelley@cisecurity.org 518-266-3493
24x7 Security Operations Center
SOC@cisecurity.org - 1-866-787-4722
This message and attachments may contain confidential information. If it appears that this message was sent to you by mistake, any retention, dissemination, distribution or copying of this message and attachments is strictly prohibited. Please notify the sender
immediately and permanently delete the message and any attachments.
. . . . .