[VIM] Vuln info from public sources and VDB rules?

security curmudgeon jericho at attrition.org
Mon Jul 25 04:32:27 EDT 2005


(original has links to relevant material)

http://www.osvdb.org/blog/?p=26

Vuln info from public sources and VDB rules?

This has come up in the past, and again more recently. Is information 
found on a vendor website, such as a changelog or bugzilla entry, fair 
game for inclusion in a vulnerability database? Some vendors seem to think 
this material is off limits. If a person keeps a directory of material 
regarding vulnerabilities, and it is not password protected or restricted 
in any way, are we to assume it may be private in some fashion?

The recent complaint does bring up another issue though; assigning 
vulnerable versions to the database entry. In this case, Secunia 
apparently listed 1.x when it was a specific release. SecurityFocus BID 
database tends to do this on many entries, listing all prior releases of a 
product as vulnerable when it hasnt necessarily been tested. That may be a 
safe assumption with some software, but not always. As new features are 
added to a software package, so are new bugs and vulnerabilities.

VDBs using public information such as bugtrackers and changelogs may have 
a long term negative impact though. The Caudium Group has closed its 
bugtracker to the public in response to Secunias vulnerability listing. If 
more vendors follow suit, this will make more detailed information 
unavailable to VDBs and impact the quality of the information we can 
provide.




More information about the VIM mailing list