[VIM] discuss: secunia footnote
Steven M. Christey
coley at linus.mitre.org
Wed Jun 1 11:29:21 EDT 2005
Only Secunia can answer of course, but similar claims seem to be made by
other commercial services. One big problem is that you can't tell what
sort of validation has taken place, or what "validation" even means. Was
the vendor contacted and did the vendor confirm the issue? Seems
impossible to do this for all vendors, since you can't even CONTACT some
vendors without a support contract. Did they replicate the issue in their
own labs? A very expensive proposition - and problematic when some
researcher advisories are too vague to reconstruct (or construct) the
appropriate attack. When the researcher says that the vendor fixed the
problem, is that claim inherently trusted, or is it independently
verified?
VDBs don't record that sort of information - at least, not publicly.
- Steve
More information about the VIM
mailing list