RE: Sources: Full and Partial Coverage
Tim and Brian,
EDB at least has a field that states whether they've independently
verified each issue or not, and it is very commonly referenced, so that's
one reason it has more focus than the others. We do pick up Packet Storm
on a fairly regular basis. We have not examined whether inj3ct0r provides
any additional or significant value, or any of the dozens of similar
vulnerability databases across the Internet. The commonality between all
these sources increases the workload significantly, so it had evolved (at
least to the point of this Board discussion) to more closely watch
Exploit-DB than the others.
On Tue, 8 May 2012, Tim Keanini wrote:
> They did discuss the others but just listed EDB as a class of sites that
> should be represented. The point was that if there is exploit code being
> published, it should always have a CVE.
> Thanks for the explanation on RealPlayer.
> Given that our VERT team has to prioritize what customers want
> regardless of CVE or not, they go through the same type of
> prioritization process but more driven by application classes. There is
> a product management function that surveys our customer base once per
> quarter to make sure we have their relevancy in mind when we develop
> Tim "TK" Keanini, CTO ... nCircle Inc. ... mbl (415) 328-2722 ...
> -----Original Message-----
> From: owner-cve-editorial-board-list@LISTS.MITRE.ORG [mailto:owner-cve-editorial-board-list@LISTS.MITRE.ORG] On Behalf Of security curmudgeon
> Sent: Tuesday, May 08, 2012 1:53 AM
> To: cve-editorial-board-list
> Subject: RE: Sources: Full and Partial Coverage
> On Tue, 8 May 2012, Tim Keanini wrote:
> : My head researcher felt that these were absent and should be
> considered given the infrastructure roles they play and I agree.
> : Partially Cover
> : 1) http://www.exploit-db.com/ <-- if they hit this repository exploit code
> : is available to the public, and it warrants a CVE.
> I am curious why you chose EDB, and do not mention or suggest
> PacketStorm or inj3ct0r (1337day.com), as they both do the same thing,
> at least one in more volume than EDB. In fact, there is a big cross-over
> between all three that make daily scouring quite annoying for some VDBs.
> I only ask out of curiosity, because I could argue EDB over those, or PS
> over those, for different reasons.
> : They also scratched their heads with RealPlayer being on the list but
> that might be something Federal market specific.
> There is likely other media-based software with a larger user
> installation base than Real, that is not currently on the list.