[VIM] Vuln info from public sources and VDB rules?
jericho at attrition.org
Tue Jul 26 19:22:29 EDT 2005
: > This has come up in the past, and again more recently. Is information
: > found on a vendor website, such as a changelog or bugzilla entry, fair
: > game for inclusion in a vulnerability database? Some vendors seem to think
: > this material is off limits.
: I can understand the argument for bugzilla entries, as they could be
: regarded as part of a largely internal process. When developers ask us
If the bugzilla is open to anyone, doesn't require authentication, and is
linked off the vendor page as 'Bug Tracker', this doesn't feel like an
: for CVE ID's for issues that haven't been put in public advisories yet,
: CVE considers Bugzilla entries "not sufficiently public" although some
: vendors don't seem to mind.
When looking at a bugzilla entry, I take note of time of disclosure and if
there is any followup. Not only if there is any, but the time that has
passed. Specifically, has a vendor had time to examine it? Are there
comments confirming the bug? Comments saying they can't reproduce? That
will weigh heavily on if I include it immediately.
: But a changelog is meant to be read by consumers, isn't it? They're
: telling their consumers that there's a vuln.
I think a public changelog is just that, public.
: > If a person keeps a directory of material
: > regarding vulnerabilities, and it is not password protected or restricted
: > in any way, are we to assume it may be private in some fashion?
: Well... if it can be linked to from the front page or obtained by reading
: a download ZIP archive, that's public to me.
How about if it is a directory with no auth required, but not linked off
the public pages? ie: I send CVE http://blah/vulns/issue1.txt. A month
later, you check the /vulns/ directory and notice issue2.txt which is not
published anywhere. Is that fair game?
More information about the VIM