Re: CVE Must-Have Coverage
[resending because of bounce]
On Thu, 13 Oct 2011, Andrew Balinsky wrote:
> Also, perhaps something to track things zero day-ish things that aren't reported to vendors:
> http://www.exploit-db.com or similar.
FYI, we currently monitor Exploit-DB since it is a good source of raw
zero-day-ish information, but it covers mostly low-interest "php-Golf"
disclosures and sometimes publishes advisories that prove to be incorrect
(not that there's anything wrong with that, it comes with the territory.)
As a result, we do not have very high coverage of this source, and things
are only given high priority if an exploit-db entry seems to be related to
a high-priority product. I suspect that the presence of exploit-DB (and
milw0rm before it) have probably contributed more to the growing increase
in vuln counts over the years than anything else.