RE: Counting on CVEs
: ?In the beginning??we talked about needing 1 CVE number to represent
: integer overflow, or another for insufficient parsing?clearly that never
: stuck. But equally, it would seem that some vendors would like to assign
: a CVE per ?threat?, which should also have never stuck.
There is CWE for that: http://cwe.mitre.org/
: I?m unaware of > 10,000 new vulnerabilities per year, at least not in
: what I would consider ?new vulnerabilities?. That?s one heck of a lot of
: lines of code, but if you?re counting vulnerabilities in Android Apps,
: then I could also see that number be incredibly low. So perhaps the
: issues aren?t with vulnerabilities, but instead with exposures??
OSVDB has 10,895 entries for 2006. Note, that OSVDB abstracts very
differently than CVE or any other VDB currently, so I would guess we're
the only ones who have hit that mark.
There is additional discussion on CVE handling the #### issue on the
CERT-run vrdx mail list.