[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[TECH] Analysis of vendor acknowledgement according to CVE

Elias Levy gave some recent statistics from the Bugtraq database on
vendor notification.  Following his lead, I've hacked up a different
set of statistics that I culled from CMEX, which these days is
basically the candidate database.  I can't provide good breakdowns
based on who did the initial disclosure.

The short story is that according to CMEX, about 50% of the candidates
that were announced between November 1999 and July 2000 don't have
vendor acknowledgement.  Most candidates that become official entries
have some sort of vendor acknowledgement.

Candidates were taken from the RECENT-01 through RECENT-29 clusters.
These clusters encompass candidates that were publicly disclosed
between November 24, 1999 and July 20, 2000.  More recent clusters
were omitted from the analysis because they are too new to determine
the impact of vendor acknowledgement on Board voting.  However, 42% of
the candidates from clusters RECENT-30 through RECENT-35 did not have
vendor acknowledgement.

Note that how I determine vendor acknowledgement is probably pretty
strict relative to what others might consider sufficient
acknowledgement.  I described the approach at the last Board meeting,
but details are provided at the end of this report.


Total candidates: 690 (wow!  at least 690 new issues in 8 months!)

Candidates still active: 443

Candidates that became official entries: 247

Candidates with insufficient votes: 162

Candidates with some sort of vendor acknowledgement: 341 (51% of 690)

Types of Acknowledgement

- Advisory by vendor or response team (e.g. CERT/CC or AusCERT)

- Acknowledged by vendor in some other fashion (e.g. patch, README,
  email followup)

- Announced by reliable source (e.g. an established security vendor
  such as L0pht, ISS, BindView, etc.)

- No acknowledgement / Could not find acknowledgement

A vendor advisory is a formal announcement by an established vendor
who has set up a web page to contain all their advisories.  Basically,
these are OS vendors and application vendors such as Allaire who are
used as "official" references for CVE.

If a security vendor is the first announcer, but the affected software
vendor posts an advisory, then it counts as a vendor advisory.  A
response team advisory is assumed to contain some sort of vendor

Candidates that became entries
 110 Advisory by vendor or response team
  63 Acknowledged by vendor in some other fashion
   6 Announced by reliable source, e.g. L0pht, ISS, BindView, etc..
     - Normally implies vendor acknowledgement.
  68 No acknowledgement / could not find acknowledgement

Total: 247
Percentage with No/unknown acknowledgement: 28%

Candidates that have sufficient votes to become entries

[Note: many of these candidates are being held back by content
decisions or other factors, thus they might not become entries.]

  59 Advisory by vendor or response team
  60 Acknowledged by vendor in some other fashion
  6  Announced by reliable source, e.g. L0pht, ISS, BindView, etc..
     - Normally implies vendor acknowledgement.
  96 No acknowledgement / could not find acknowledgement

Total: 221
Percentage with No/unknown acknowledgement: 43%

Candidates with insufficient votes

[These candidates do not have sufficient votes to be ACCEPTed by the

   2 Advisory by vendor or response team
   4 Acknowledged by vendor in some other fashion
   0 Announced by reliable source, e.g. L0pht, ISS, BindView, etc..
     - Normally implies vendor acknowledgement.
 156 No acknowledgement / could not find acknowledgement

Total: 162
Percentage with No/unknown acknowledgement: 98%

The stats for candidates with insufficient votes is pretty
illuminating in terms of the impact on CVE.  Approximately 60
candidates had voting conflicts, which for various reasons removes
them from the statistical pool.

Here are the overall stats:

 179 Advisory
 137 Acknowledged
  25 Announced by reliable source
 349 No acknowledgement

Total: 690
Percentage with No/unknown acknowledgement: 51%

Severity vs. Acknowledgement

These stats were taken from a little-used field in CMEX that describes
the specific type of flaw (buffer overflow, dot dot, etc.)  The field
isn't filled in half the time, partially because it's not an essential
field, and partially because some bugs are difficult to classify.
Note that it is only filled in for the purposes of these sorts of
analysis of CVE - it is not distributed anywhere else.

The following severity values were assigned.  Broad strokes were
applied - e.g. if you have a buffer overflow, then it's assumed that
you can execute arbitrary commands; if you have a dot dot problem,
it's assumed you can read files; etc.  So, this data is clearly

SERIOUS = execute commands or read files
MIXED = type of flaw may or may not be serious depending on implementation
NOT-SERIOUS = information gathering / etc.
UNKNOWN = flaw type not available

For entries:

For candidates:

Monthly breakdown of acknowledgement

Month   Some ACK    No ACK
-----   --------    ------
199911    14          17
199912    47          45
200001    31          33
200002    48          38
200003    25          30
200004    32          40
200005    58          48
200006    58          71
200007    28          25

Appendix: Determining Vendor Acknowledgement for CVE

Here are the basic guidelines I use for determining if a candidate has
vendor acknowledgement.  Where there is acknowledgement, I've started
annotating CMEX with the "method" of acknowledgement, but that data
isn't particularly reliable.

Sufficient acknowledgement:

 - Vendor posts an advisory to *Bugtraq or web site

 - Vendor posts an email followup to a *Bugtraq post

 - Vendor explicitly describes issue on vendor web site

 - Vendor is quoted in established media (e.g. cnn.com)

 - Vendor explicitly describes issue in README or Changelog

 - Vendor provides a patch whose description clearly indicates the bug
   fix (even if they attempt to obscure it).  This one can get fuzzy
   because they might not be fixing the problem you think they are, so
   I'm usually careful to avoid calling this acknowledgement.

Insufficient acknowledgement:

 - Non-vendor claims that a patch is available (rationale: the patch
   may not actually fix the bug).  If the patch can be downloaded and
   the associated README/etc. obtained without running a program, then
   the README is examined for acknowledgement

   NOTE: this is *any* non-vendor, even an otherwise "trusted" source.
   I believe that patch information in some sources of vulnerability
   information may come from a cut-n-paste from the original
   announcement of the patch, regardless of the trustability of the
   source, and it isn't necessarily verified.

 - Discloser claims that the vendor was contacted or provides some

 - Vendor requires web site registration, or customer support number,
   to enter portion of web site that might contain acknowledgement

Page Last Updated or Reviewed: May 22, 2007