How is AVDL different from efforts like CVE and VulnXML?
AVDL is not intended to duplicate or replace any existing industry standard and should be entirely complimentary to efforts like CVE and VulnXML. Both CVE and VulnXML focus on creating more uniform ways for security researchers to describe and classify specific new vulnerabilities when they are initially discovered in much the same way anti-virus researchers have been attempting to do for years. CVE is valuable primarily for describing and classifying network-layer vulnerabilities, while VulnXML attempts to add some of the detail needed to adequately describe application-layer vulnerabilities. Members of the OASIS AVDL Technical Committee support both CVE and VulnXML. AVDL addresses the broader business-oriented problem of how companies actually manage ongoing application security risk on a day-to-day basis. Managing application security risk in a highly dynamic environment can be an extraordinary challenge for security administrators. Fortunately, there are now a wide variety of best-
