Tag: Vulnerability Databases

  • For Sale: VDB

    [This was originally published on the OSVDB blog.] Jason Bergen posted to Full-Disclosure trying to sell a “Security Vulnerability Database Company“. From that mail: The company maintains a database of all security vulnerabilities, and the database is updated on a daily basis. The company maybe of interest to organisations who are currently licensing a vulnerability […]

  • Mac vs Windows – More “Statistics”

    [This was originally published by the OSVDB blog.] Yet another article comparing Mac vs Windows, and using statistics to back it up. Since this is getting to be a common occurrence, I won’t go into the usual lecture about statistics, how they can easily be manipulated to back any argument (including how VAX/VMS is the […]

  • A Word on Solutions (Use Another Product)

    [This was originally published on the OSVDB blog.] Something lead you to the product that ended up on your systems. Be it a feature, a look, ease of use, or price, it was a driving force in your decision. Changing to a different product isn’t easily done, especially if your current solution is heavily integrated […]

  • A Word on Solutions (Edit Source Code)

    [This was originally published on the OSVDB blog.] Often times you will see a VDB or researcher disclosure offer the solution “Edit the source code to ensure that input is properly sanitised.” I’ve never been fond of this for several reasons. First and probably the most obvious, duh? If I proclaim “send food to the […]

  • Vulnerability Classification Terminology

    [This was originally published on the OSVDB blog.] Local or remote, seems so simple when classifying a vulnerability. The last few years have really thrown this simple distinction for a loop. Think of a vulnerability that occurs when processing a file, such as a browser rendering a JPG or GIF, or a program like Adobe […]

  • If a tree falls in the woods…

    [This was originally published on the OSVDB blog.] If a researcher discloses a vulnerability only to VDBs, and some/all of them publish the information, was the vulnerability really disclosed? Yes, of course, but should it have been? Are VDBs responsible for the information? Does it fall on us to check every thing we get and […]

  • Vuln info from public sources and VDB ‘rules’?

    [This was originally published on the OSVDB blog.] This has come up in the past, and again more recently. Is information found on a vendor website, such as a changelog or bugzilla entry, fair game for inclusion in a vulnerability database? Some vendors seem to think this material is off limits. If a person keeps […]

  • Classification Headache: Remote vs Local

    [This was originally published on the OSVDB blog.] http://archives.neohapsis.com/archives/bugtraq/2005-07/0238.html From: Derek Martin (code[at]pizzashack.org)Date: Thu Jul 14 2005 – 21:39:30 CDT The issue has come up on bugtraq before, but I think it is worth raising it again. The question is how to classify attacks against users’ client programs which come from the Internet, e.g. an […]

  • ICAT > NVD

    [This was originally published on the OSVDB blog.] Someone brought this to my attention: http://nvd.nist.gov/National Vulnerability Database Welcome to NVD!!NVD is a comprehensive cyber security vulnerability database that integrates all publicly available U.S. Government vulnerability resources and provides references to industry resources. It is based on the CVE vulnerability naming standard. NVD contains:11708 Vulnerabilities482 US-CERT […]

  • Why Vulnerability Databases Can’t Do Everything

    [This was originally published on the OSVDB blog.] https://seclists.org/fulldisclosure/2005/Jul/292 From: Steven M. Christey (coley[at]mitre.org)Date: Fri Jul 15 2005 – 13:35:52 CDT Vulnerability databases and notification services have to pore through approximately 100 new public vulnerability reports a week. Correction: that’s HUNDREDS of reports, from diverse and often unproven sources, for about 100 unique vulnerabilities per […]