HOME   Cart(0)   Quotation   About-Us Tax PDFs Standard-List Powered by Google www.ChineseStandard.net Database: 189759 (3 Nov 2024)

GB/T 28458-2020 English PDF

GB/T 28458-2020 (GB/T28458-2020, GBT 28458-2020, GBT28458-2020)
Standard IDContents [version]USDSTEP2[PDF] delivered inStandard Title (Description)StatusPDF
GB/T 28458-2020English135 Add to Cart 0--9 seconds. Auto-delivery Information security technology - Cybersecurity vulnerability identification and description specification Valid GB/T 28458-2020
GB/T 28458-2012English319 Add to Cart 3 days [Need to translate] Information security technology -- Vulnerability identification and description specification Obsolete GB/T 28458-2012
Preview PDF: GB/T 28458-2020

BASIC DATA
Standard ID GB/T 28458-2020 (GB/T28458-2020)
Description (Translated English) (Information Security Technology Network Security Vulnerability Identification and Description Specification)
Sector / Industry National Standard (Recommended)
Word Count Estimation 8,828
Date of Issue 2020-11-19
Date of Implementation 2021-06-01
Older Standard (superseded by this standard) GB/T 28458-2012
Regulation (derived from) National Standard Announcement No. 26 of 2020


GB/T 28458-2020 NATIONAL STANDARD OF THE PEOPLE’S REPUBLIC OF CHINA ICS 35.040 L 80 Replacing GB/T 28458-2012 Information Security Technology - Cybersecurity Vulnerability Identification and Description Specification ISSUED ON: NOVEMBER 19, 2020 IMPLEMENTED ON: JUNE 1, 2021 Issued by: State Administration for Market Regulation; Standardization Administration of the People’s Republic of China. Table of Contents Foreword ... 3  1 Scope ... 5  2 Normative References ... 5  3 Terms and Definitions ... 5  4 Abbreviations ... 6  5 Identification and Description of Cybersecurity Vulnerability ... 6  5.1 Framework ... 6  5.2 Identification Item ... 7  5.3 Description Items ... 7  5.4 Confirmation Method ... 10  Appendix A (informative) XML Representation of an Example of Vulnerability Identification and Description Specification ... 11  Information Security Technology - Cybersecurity Vulnerability Identification and Description Specification 1 Scope This Standard specifies the identification and description information of cybersecurity vulnerability (hereinafter referred to as “vulnerability”). This Standard is applicable to all relevant parties engaged in activities, such as: vulnerability release and management, vulnerability database construction, product production, research and development, evaluation and network operation, etc. 2 Normative References The following documents are indispensable to the application of this document. In terms of references with a specified date, only versions with a specified date are applicable to this document. In terms of references without a specified date, the latest version (including all the modifications) is applicable to this document. GB/T 7408-2005 Data Elements and Interchange Formats - Information Interchange - Representation of Dates and Times GB/T 25069 Information Security Technology - Glossary GB/T 30276-2020 Information Security Technology - Specification for Cybersecurity Vulnerability Management GB/T 30279-2020 Information Security Technology - Guidelines for Categorization and Classification of Cybersecurity Vulnerability 3 Terms and Definitions What is defined in GB/T 25069, GB/T 30276-2020 and GB/T 30279-2020, and the following terms and definitions are applicable to this document. 3.1 Cybersecurity Vulnerability Cybersecurity vulnerability refers to a defect or weak point that is unintentionally or intentionally generated during the process of demand analysis, design, implementation, configuration, testing, operation and maintenance of network products and services, and may be exploited. other than fixed fields, for example, an alternative name of the vulnerability. Example: GNU Bash. high risk. remote code execution vulnerability. shell break vulnerability 5.3.2 Release time The date that the vulnerability information was released. Date writing shall adopt the extended format of complete representation in 5.2.1.1 of GB/T 7408-2005. The format is: YYYY-MM- DD, for example, 2019-01-01. Among them, YYYY signifies a calendar year; MM signifies the ordinal number of the calendar month in the calendar year; DD signifies the ordinal number of the calendar day in the calendar month. 5.3.3 Releaser The abbreviation of “vulnerability releaser”, which is an individual or organization that releases validated vulnerability information. The releaser is named after its personal identification or organization name. The “organization name” can be the official name or short name of the releaser’s organization. If the vulnerability releaser is an individual, it may be named with the name of the organization, to which, it belongs. See the format below: Personal identification of vulnerability releaser (vulnerability releaser’s organization name) Multiple releasers are allowed, which are separated by commas, for example: Zhang San (organization A), Li Si (organization A, organization B), Wang Wu, organization C The vulnerability release shall comply with the requirements specified in 5.5 Vulnerability Release in GB/T 30276-2020. 5.3.4 Validator The abbreviation of “vulnerability validator”, which is an individual or organization that technically validates the existence, level and category of vulnerabilities. The validator is named after its personal identification or organization name. The “organization name” can be the official name or short name of the validator’s organization. If the vulnerability validator is an individual, it may be named with the name of the organization, to which, it belongs. See the format below: Personal identification of vulnerability validator (vulnerability validator’s organization name) Multiple validators are allowed, which are separated by commas, for example: Zhang San (organization A), Li Si (organization A, organization B), Wang Wu, organization C The vulnerability validation shall comply with the requirements specified in 5.3 Vulnerability Validation in GB/T 30276-2020. 5.3.5 Finder The abbreviation of “vulnerability finder”, which is an individual or organization that finds the vulnerability. The finder is named after its personal identification or organization name. The “personal identification” can be the name or code of the individual finder; the “organization name” can be the official name or short name of the finder’s organization. If the identity of the finder cannot be confirmed, or the vulnerability information was anonymously released, the finder can be identified as “anonymous”. If the vulnerability finder is an individual, it may be named with the name of the organization, to which, it belongs. See the format below: Personal identification of vulnerability finder (vulnerability finder’s organization name) Multiple finders are allowed, which are separated by commas, for example: Zhang San (organization A), Li Si (organization A, organization B), Wang Wu, organization C The vulnerability finding shall comply with the requirements of 5.1 a) in GB/T 30276-2020. 5.3.6 Category The category, to which, the vulnerability belongs. It provides information on the attribution of vulnerability classification. The classification of categories shall comply with the requirements specified in Chapter 5 Cybersecurity Vulnerability Classification of GB/T 30279-2020. 5.3.7 Level The vulnerability hazard level, which provides the extent of hazard that the vulnerability may cause. The classification shall comply with the requirements specified in 6.3.3 Technical Classification of Cybersecurity Vulnerabilities in GB/T 30279-2020. 5.3.8 Affected product or service Details of the product or service, in which, the vulnerability exists. It includes supplier, name and version No., etc. For vulnerabilities with shared middleware or components, the related products or service information affected by them can all be listed. 5.3.9 Relevant number The number of the same vulnerability in different organizations, for example, CNVD number, CNNVD number, CVE number or vulnerability number customized by other organizations, etc. If there are multiple numbers, they can be provided in sequence and separated by commas. See Appendix A for the XML representation method of relevant number. 5.3.10 Existence statement Describe the triggering conditions, generation mechanism or conceptual proof of the vulnerability. Appendix A (informative) XML Representation of an Example of Vulnerability Identification and Description Specification This Appendix provides an example of a vulnerability (non-real vulnerability) using the vulnerability identification and description specified in this Standard. The purpose is to demonstrate the application of this Standard. In order to ensure the conciseness and readability of the example, this Appendix adopts the XML language as the representation language. < identification No.> CNCVD-2020-101001< /identification No.> < name> Linux Kernel. high risk. race condition vulnerability. Dirty Cow II vulnerability < /name> < release time> 2020-10-10 < /release time> < releaser> National Computer Network Emergency Response Technical Team / Coordination Center of China < /releaser> < validator> China Information Technology Security Evaluation Center, National Research Center for Information Technology Security < /validator> < finder> National Computer Network Intrusion Prevention Center < /finder> < category> race condition vulnerability < /category> < level> high risk < /level> < affected product or service> < manufacturer> Debian < /manufacturer> < product or service information> < product or service name> debian_linux < /product or service name> < version No.> 7.0 < /version No.> ......