Call for Papers Invitational Workshop on Computer Vulnerability Data Sharing Gaithersburg, Md., June 10 - 12, 1996. Sponsored by: The Advanced Research Projects Agency (ARPA) The COAST Lab at Purdue University The National Communications System (NCS) The National Institute of Standards and Technology (NIST). Researchers in communities including intrusion detection, security, incident handling, and software engineering have long expressed an interest in having access to a repository of vulnerability data that could be used in their experiments and analyses. These communities have different requirements for such a repository and would derive different benefits from it. These differences have often been cited as obstacles to the creation or sharing of such a repository. The purpose of this invitational workshop is to bring together interested researchers from these communities to explore these differences and questions. We hope to reach a consensus on creating a repository that can benefit all. Issues explored at this workshop are expected to include: * determining a vulnerability classification scheme, * defining useful levels of abstraction for vulnerability definition for research, incident handling or intrusion detection, * developing the data structures and applications to support the classification scheme, * developing a sanitization method that protects incident victims, * ensuring the integrity and authenticity of the repository data, * regulating access to the data to only those with legitimate need, proprietary constraints, and other external controls (and defining what "legitimate need" might be). Other administrative issues to be addressed include the collection and dissemination qualifications among the users, overall management of the repository, and resource requirements. Broader issues would include unanswered legal questions regarding participation and information dissemination, participant trust limitations, and creating a self-supporting capability. Position papers are invited that address one or more of the following topics: * How should a repository of vulnerability data be structured? * What mechanisms should be used to collect, store, sanitize and disseminate the information? * What data items should be present in the data? * Should explicit exploitation scripts, or transcripts of example exploitations, be included? * How can the accuracy and quality of the information be ensured? * Should access to the data be restricted in any way? * What is the liability issue of disseminating information that is subsequently used to cause a threat event? * Who might want to use this data appropriately and how? * To whom, under what circumstances, and how should the repository distribute unfixed vulnerabilities? * What could the subscription model look like to create a self-supporting repository? Individuals interested in attending the workshop are invited to submit a position paper draft to the program committee. Invitations will be extended by the program committee based on these drafts. Paper drafts should touch on one more topics suggested by the above. At least some suggestions should be made to questions or problems posed in this area. Papers should be submitted as standard PostScript or as plain ASCII text via e-mail. Paper copies may be submitted in lieu of electronic copies by advance permission only -- contact the committee chairs at the electronic mail address given below. Papers should not exceed 20 printed pages in length, and must NOT contain proprietary or classified data. Important Dates: Extended Abstracts Due: March 8 Invitations extended: April 10 Final Papers due: May 14 Program Committee: Gene Spafford, Purdue University (co-chair) Tim Grance, NIST (co-chair) Rebecca Bace, NSA Dave Bailey, Galaxy Computer Services Matt Bishop, UC Davis Carl Landwehr, NRL Tom Longstaff, CERT Teresa Lunt, ARPA Marv Schaefer, ARCA Systems Steve Smaha, Haystack Labs. Inc. Kevin Zeiss, AFIW Send abstracts or comments to <vuln_workshop@cs.purdue.edu>