[VIM] Vuln info from public sources and VDB rules?

security curmudgeon jericho at attrition.org
Tue Jul 26 19:22:29 EDT 2005

: > This has come up in the past, and again more recently. Is information
: > found on a vendor website, such as a changelog or bugzilla entry, fair
: > game for inclusion in a vulnerability database? Some vendors seem to think
: > this material is off limits.
: I can understand the argument for bugzilla entries, as they could be 
: regarded as part of a largely internal process.  When developers ask us 

If the bugzilla is open to anyone, doesn't require authentication, and is 
linked off the vendor page as 'Bug Tracker', this doesn't feel like an 
internal process.

: for CVE ID's for issues that haven't been put in public advisories yet, 
: CVE considers Bugzilla entries "not sufficiently public"  although some 
: vendors don't seem to mind.

When looking at a bugzilla entry, I take note of time of disclosure and if 
there is any followup. Not only if there is any, but the time that has 
passed. Specifically, has a vendor had time to examine it? Are there 
comments confirming the bug? Comments saying they can't reproduce? That 
will weigh heavily on if I include it immediately.

: But a changelog is meant to be read by consumers, isn't it?  They're 
: telling their consumers that there's a vuln.

I think a public changelog is just that, public.

: > If a person keeps a directory of material
: > regarding vulnerabilities, and it is not password protected or restricted
: > in any way, are we to assume it may be private in some fashion?
: Well...  if it can be linked to from the front page or obtained by reading
: a download ZIP archive, that's public to me.

How about if it is a directory with no auth required, but not linked off 
the public pages? ie: I send CVE http://blah/vulns/issue1.txt. A month 
later, you check the /vulns/ directory and notice issue2.txt which is not 
published anywhere. Is that fair game?

More information about the VIM mailing list