Businesses and organizations world wide rely more and more on networked computer systems for information and services. The computer systems can include computing devices such as computers and smartphones, as well as computer networks such as private and public networks (including the Internet). A business' computer system may have a software codebase of hundreds or thousands of different computer applications or software (“software systems”). The software codebase may be continually changing, upgraded or enlarged with newer versions or types of the computer applications or software. Establishing good computer security (which may include processes and mechanisms by which equipment, information and services are protected from unintended or unauthorized access, change or destruction) is essential for operation of the business' computer system.
A computer security or software “vulnerability” may be a weakness or mistake in a software system that can be directly used by an unauthorized third party to gain access to a computer system or network. In several reported incidents of cyber attacks on computer systems of various businesses and organizations, attackers have breached computer security (e.g., using computer viruses, worms, Trojan horses, ransomware, spyware, adware, scareware, and other malicious programs) only because of vulnerabilities in the software codebase in the computer systems. Most businesses or organizations recognize a need for continually monitoring of their computer systems to identify software at risk not only from known software vulnerabilities but also from newly reported vulnerabilities (e.g., due to new computer viruses or malicious programs). Identification of vulnerable software allows prophylactic actions to be taken, for example, to secure the vulnerable software and prevent breaches of computer security. The prophylactic actions may, for example, include deploying specific anti-virus software or restricting operation of the vulnerable software to limit damage.
New computer system or software system vulnerabilities are often identified, cataloged, and published by independent third parties or organizations (“reporting parties”) who may specialize in computer security issues. The reporting parties may include government organizations (e.g., National Institute for Standards and Technology (NIST)), industry organizations, and private firms (e.g., for example, anti-virus software developers).
Consideration is being given to systems and methods for identifying computer systems at risk from software vulnerabilities that may be reported by reporting parties.