[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Sources: Full and Partial Coverage

Tim and Brian,

EDB at least has a field that states whether they've independently 
verified each issue or not, and it is very commonly referenced, so that's 
one reason it has more focus than the others.  We do pick up Packet Storm 
on a fairly regular basis.  We have not examined whether inj3ct0r provides 
any additional or significant value, or any of the dozens of similar 
vulnerability databases across the Internet.  The commonality between all 
these sources increases the workload significantly, so it had evolved (at 
least to the point of this Board discussion) to more closely watch 
Exploit-DB than the others.

- Steve



On Tue, 8 May 2012, Tim Keanini wrote:

> They did discuss the others but just listed EDB as a class of sites that 
> should be represented. The point was that if there is exploit code being 
> published, it should always have a CVE.
>
> Thanks for the explanation on RealPlayer.
>
> Given that our VERT team has to prioritize what customers want 
> regardless of CVE or not, they go through the same type of 
> prioritization process but more driven by application classes.  There is 
> a product management function that surveys our customer base once per 
> quarter to make sure we have their relevancy in mind when we develop 
> content.
>
> --tk
>
> --
> Tim "TK" Keanini, CTO    ...    nCircle Inc.   ...   mbl (415) 328-2722  ...
>
> -----Original Message-----
> From: owner-cve-editorial-board-list@LISTS.MITRE.ORG [mailto:owner-cve-editorial-board-list@LISTS.MITRE.ORG] On Behalf Of security curmudgeon
> Sent: Tuesday, May 08, 2012 1:53 AM
> To: cve-editorial-board-list
> Subject: RE: Sources: Full and Partial Coverage
>
> Tim;
>
> On Tue, 8 May 2012, Tim Keanini wrote:
>
> : My head researcher felt that these were absent and should be 
> considered given the infrastructure roles they play and I agree.
>
> : Partially Cover
> : 1) http://www.exploit-db.com/ <-- if they hit this repository exploit code
> : is available to the public, and it warrants a CVE.
>
> I am curious why you chose EDB, and do not mention or suggest 
> PacketStorm or inj3ct0r (1337day.com), as they both do the same thing, 
> at least one in more volume than EDB. In fact, there is a big cross-over 
> between all three that make daily scouring quite annoying for some VDBs.
>
> I only ask out of curiosity, because I could argue EDB over those, or PS 
> over those, for different reasons.
>
> : They also scratched their heads with RealPlayer being on the list but 
> that might be something Federal market specific.
>
> There is likely other media-based software with a larger user 
> installation base than Real, that is not currently on the list.
>
>
Page Last Updated or Reviewed: November 06, 2012