[This was originally published on the OSVDB blog.]
No, this isn’t some odd contest with a disappointing reward. Date an OSVDB moderator! *shudder*
Think of dates in the context of vulnerability disclosure. Think of how many dates we don’t know, even in the more formal advisories (some with time lines even). OSVDB currently tracks three dates: Vulnerability Published, Vulnerability Discovered, Exploit Published. We have additional dates that we will add to the system as developer time permits, but unfortunately most vulnerabilities don’t come with the information we need. In a perfect disclosure world, each vulnerability posted would come with a robust timeline:
- Vulnerability Discovered
- Disclosed to Vendor
- Vendor Acknowledgement
- Vendor Patch
- Public Disclosure
This would allow VDBs to track better metrics, including vendor response time, patch development time and more. Are there more dates that would be relevant and of interest?