scope:

This Recommendation provides a framework of bidirectional flow of automatic notification and distribution of vulnerability information as well as the distribution of updates and/or patches. In addition, this Recommendation makes it possible for system administrators to know the condition of any Asset within their realm of responsibility.

Clauses 6 and 7 describe the problems of maintaining Assets from an Asset identification point of view, as well as information dissemination and systems/networks management points of view.

Clause 8 describes the overview of the vendor-neutral framework, which includes an example system supported by the adoption of the framework, comportments of the framework and an exemplary sequence of exchanges within the framework.Clause 8 also describes the security that should be considered in the vendor-neutral framework.

Clause 9 describes the functionalities and features of this Recommendation.

Clause 10 provides the definitions of the data structures of components of this Recommendation.

Clause 11 contains the XML schema defined and described in clause 10.

This Recommendation provides a framework that any vendor can use for notification, as well as the receiving of vulnerability information and dissemination of required patches/updates for covered Assets, and defines the format of the information that should be used in and between components implementing this framework.

This Recommendation does not define protocols to be used in the communication between components as many protocols are supported without special consideration.

Some common roles and responsibilities will be needed to be established for operation based on the vendor-neutral framework; however, a discussion regarding the establishment and operation of possible roles and their resulting responsibilities is not within the scope of this Recommendation.