[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: Counting on CVEs
: ?In the beginning??we talked about needing 1 CVE number to represent : integer overflow, or another for insufficient parsing?clearly that never : stuck. But equally, it would seem that some vendors would like to assign : a CVE per ?threat?, which should also have never stuck. There is CWE for that: http://cwe.mitre.org/ : I?m unaware of > 10,000 new vulnerabilities per year, at least not in : what I would consider ?new vulnerabilities?. That?s one heck of a lot of : lines of code, but if you?re counting vulnerabilities in Android Apps, : then I could also see that number be incredibly low. So perhaps the : issues aren?t with vulnerabilities, but instead with exposures?? OSVDB has 10,895 entries for 2006. Note, that OSVDB abstracts very differently than CVE or any other VDB currently, so I would guess we're the only ones who have hit that mark. There is additional discussion on CVE handling the #### issue on the CERT-run vrdx mail list.