Deploying JP Vendor Status Notes (JVN) for Dissemination of Security Information Throughout Japan

In July 2004, the Ministry of Economy, Trade and Industry (METI) adopted the "Standard for Handling Software Vulnerability Information" as a official rule, and began promoting the "Information Security Early Warning Partnership" as a practical framework. This provides a framework and clear-cut procedures for contacting product vendors about vulnerabilities before releasing word of the vulnerability to the public, requesting vendor action regarding a vulnerability, and coordinating with other concerned organizations around the world so that a patch can be released at the same time that the vulnerability warning goes out.

Launched on a trial basis with the support of the JPCERT/CC, the JVN was jointly run by the IPA (Information-Technology Promotion Agency) and the JPCERT/CC within the official framework. Subsequently, the name of the organization was changed to "JP Vendor Status Notes", but the original acronym JVN was retained, and the site for publishing status of efforts dealing with domestic software vulnerabilities was also kept the same.

It is highly significant that JVN is run within a public framework. Naturally, users tend to assess vendors who do provide information about vulnerabilities more favorably than vendors who don't, and vendors who pick up on this fact become much more response about providing such information on the website. JVN is thus contributing to the emergence of an atmosphere in which better quality product and service security are assured. To enlist full support from the vendors, it is essential to devise a scheme making it easy for them to participate and a method for disseminating vulnerability information that does not involve a lot of time and effort.

It would also be better from the users' perspective if they can assemble information without going to a lot of trouble. I know from my own experience in preparing vulnerability reports for in-house consumption that I had to pull together information from many different security related and news sites. I can only assume that somebody else is doing exactly the same thing for other divisions and in other companies. Just imagine how redundant this is and how many people are engaged in compiling the same information throughout Japan. Originally, the real work was not in collecting the information so much as figuring out how to use the information. Here too, JVN must make the dissemination of information its primary purpose.