RE: Sources: Full and Partial Coverage
They did discuss the others but just listed EDB as a class of sites that should be represented.
The point was that if there is exploit code being published, it should always have a CVE.
Thanks for the explanation on RealPlayer.
Given that our VERT team has to prioritize what customers want regardless of CVE or not, they go through the same type of prioritization process but more driven by application classes. There is a product management function that surveys our customer base once per quarter to make sure we have their relevancy in mind when we develop content.
Tim "TK" Keanini, CTO ... nCircle Inc. ... mbl (415) 328-2722 ...
From: owner-cve-editorial-board-list@LISTS.MITRE.ORG [mailto:owner-cve-editorial-board-list@LISTS.MITRE.ORG] On Behalf Of security curmudgeon
Sent: Tuesday, May 08, 2012 1:53 AM
Subject: RE: Sources: Full and Partial Coverage
On Tue, 8 May 2012, Tim Keanini wrote:
: My head researcher felt that these were absent and should be considered given the infrastructure roles they play and I agree.
: Partially Cover
: 1) http://www.exploit-db.com/ <-- if they hit this repository exploit code
: is available to the public, and it warrants a CVE.
I am curious why you chose EDB, and do not mention or suggest PacketStorm or inj3ct0r (1337day.com), as they both do the same thing, at least one in more volume than EDB. In fact, there is a big cross-over between all three that make daily scouring quite annoying for some VDBs.
I only ask out of curiosity, because I could argue EDB over those, or PS over those, for different reasons.
: They also scratched their heads with RealPlayer being on the list but that might be something Federal market specific.
There is likely other media-based software with a larger user installation base than Real, that is not currently on the list.