Re: Counting on CVEs
On Thu, 8 Mar 2012, Art Manion wrote:
: The questions remain IMO:
: 1. What level of abstraction is appropriate for CVE?
Their current method of abstraction is appropriate. It is well defined and
: 2. What level of completeness is appropriate for CVE?
I don't think "appropriate" is relevant. I think everyone wants it to be
"absolutely complete". For our business and research, that is the only
: Is there desire/need for an accurate count of vulnerabilities? OSVDB
: either abstracts a little more narrowly than CVE and/or collects more
: vulnerabilities, so OSVDB has higher numbers.
OSVDB does both, but our abstraction is more than "a little more narrow".
We abstract per vulnerability, where CVE will group similiar. So take a
single CVE that lists 10 scripts vulnerable to SQL Injection, and we will
create 10 entries. OSVDB abstracts more than any other VDB, but as I said,
that is not always suitable depending on a person's needs.
: If CVE or any other database were to try to name and count all publicly
: disclosed vulnerabilities, it would be important to be able to
: distinguish between a vulnerability that is one of a dozen XSS bugs in a
: PHP web app and a vulnerability that is a straight up stack buffer
: overflow in httpd. Sure, count them all, but be able to say that out of
: 20K vulnerabilities named this year, 61% were XSS or SQLi in web apps
: with low distribution.
In theory, that is where CVSS (or another classification scheme) could
come in. Combined, that data could be used to pick out 'relevant' or
more critical issues.
: I'm guessing at some numbers in the above example, but this is a big
: reason IMO that CVE numbers have declined. Vulnerabilities "worth
: tracking with a CVE" have declined, not the total number of
: vulnerabilities. Another way to look at it might be that thee criteria
: for "worth tracking with a CVE" has changed.
Based on my chats with CVE, I don't think it is that. I don't believe they
shy away from an issue due to severity. I think that the issue is that CVE
monitors a list of sources for vulnerabilities, and their resources do not
permit them to look at more. For example, they monitor Bugtraq, but not
Full-Disclosure. Over the years, many researchers have started posting to
F-D without CCing Bugtraq (for a variety of reasons). Add to that sites
like Exploit-DB and other exploit aggregation sites that aren't being
monitored, and the numbers quickly explain themselves. OSVDB has a long
list, but we don't have the resources to monitor all of them in a timely
manner. We use a weighted system for checking them as time permits, so the
ones we consider critical (ICS-CERT) get hit daily, but a changelog or bug
tracker may get checked yearly at best.