In order to further establish a unified and objective vulnerability rating system for the blockchain industry, establish a sound blockchain security infrastructure, and gradually improve many security issues in the blockchain field, the National Internet Emergency Center has joined forces with Changting Technology, Link Security Technology, and Appi Lab Based on the CVSS2.0 vulnerability scoring system and a large number of real blockchain vulnerability cases, the four security vendors of SlowMist and SlowMist jointly drafted the National Blockchain Vulnerability Database “Blockchain Vulnerability Classification Rules”, which is now released to the public .
In the network security evaluation system, the standardization of vulnerability classification and classification is a very important basic link for evaluation. The establishment of a unified vulnerability classification standardization program is of great significance for unifying industry awareness, improving industry technology security, and establishing a sound security evaluation system. In the early stage, when many blockchain companies and teams issued vulnerability bounty plans, because there was no uniform standard for direct reference, they often defined the threat level of vulnerabilities according to their own understanding; and security vendors would also formulate their own understanding of CVSS Different evaluation standards. At present, various roles in the blockchain ecology have different perceptions of security vulnerabilities, and even differ greatly. There is an urgent need to establish a set of grading rules for blockchain technology that is generally recognized by the industry, clarify the principle of vulnerability analysis, and give a definite and executable threat level evaluation reference.
In this context, the National Blockchain Vulnerability Database and industry security companies jointly issued the “Blockchain Vulnerability Classification Rules”. The “Detailed Rules” are divided into “Detailed Rules for Vulnerability Rating of Public Chain Systems”, “Detailed Rules for Vulnerability Rating of Alliance Chain Systems”, “Detailed Rules for Vulnerability Rating of Smart Contracts”, “Detailed Rules for Vulnerability Rating of Peripheral Systems”, mainly based on the “level of harm” The vulnerability is divided into three threat levels: high, medium, and low, and the description of each hazard and difficulty lists very detailed reference items, which basically cover the possible encounters in the blockchain field. Most of the vulnerabilities found can help users quickly locate and analyze vulnerabilities. At the same time, relying on CVSS2.0, strive to realize the intercommunication with the traditional basic field vulnerability rules, and open up the cognition and definition of vulnerabilities in the emerging field of blockchain and the traditional field from the perspective of large network security.
At present, the security evaluation system for blockchain at home and abroad is not yet mature. In this context, the National Blockchain Vulnerability Library actively explores blockchain security specifications, unites industry forces, and strives to form operational, executable, and quantifiable rules for the classification of blockchain vulnerabilities to promote the security of the blockchain industry. Orderly development will help my country occupy a leading position in the field of new blockchain technology.
At present, the “Blockchain Vulnerability Classification Rules” is only the initial version, and it will be revised continuously according to the actual situation of blockchain security. At the same time, all security vendors, white hats, and blockchain participants are also welcome to provide valuable opinions to help improve and upgrade the rules.
