[VIM] Vuln info from public sources and VDB rules?
jericho at attrition.org
Mon Jul 25 04:32:27 EDT 2005
(original has links to relevant material)
Vuln info from public sources and VDB rules?
This has come up in the past, and again more recently. Is information
found on a vendor website, such as a changelog or bugzilla entry, fair
game for inclusion in a vulnerability database? Some vendors seem to think
this material is off limits. If a person keeps a directory of material
regarding vulnerabilities, and it is not password protected or restricted
in any way, are we to assume it may be private in some fashion?
The recent complaint does bring up another issue though; assigning
vulnerable versions to the database entry. In this case, Secunia
apparently listed 1.x when it was a specific release. SecurityFocus BID
database tends to do this on many entries, listing all prior releases of a
product as vulnerable when it hasnt necessarily been tested. That may be a
safe assumption with some software, but not always. As new features are
added to a software package, so are new bugs and vulnerabilities.
VDBs using public information such as bugtrackers and changelogs may have
a long term negative impact though. The Caudium Group has closed its
bugtracker to the public in response to Secunias vulnerability listing. If
more vendors follow suit, this will make more detailed information
unavailable to VDBs and impact the quality of the information we can
More information about the VIM