Re: Open Letter on the Interpretation of "Vulnerability Statistics"

["Steven M. Christey" <coley () linus mitre org>]

On Fri, 6 Jan 2006, Georgi Guninski wrote:

> hahaha:
> http://cve.mitre.org/about/
> A Dictionary, NOT a Database
> (note the CAPS)
> so which way is it "NOT" or "A database"?

Hi Georgi, I've missed you.

According to the definitions proposed by Brian Martin of OSVDB, CVE is in
fact a database - HOWEVER it is a highly specialized one intended for
correlation and comparison across multiple tools and products.  That said,
90% of its consumers do not use it for that reason.  The FAQ should
probably be rephrased a bit.

> > RVI sources collect unstructured vulnerability information from Raw
> > Sources.
>
> read: parasites cut and paste from people who can do things.

Actually, they frequently augment the original work, especially if it
suffers from the Four I's problem - inconsistent, inaccurate, incomplete,
and/or incomprehensible.  Well-researched advisories like yours are the
exception, not the rule.

Every "RVI" or, if you wish, "database" provides extra value beyond what
is originally published.  Raw sources include lots of poorly written or
inaccurate advisories without any vendor fix information.  RVIs sort
through the cruft and produce something that is more usable to the average
consumer, often conducting additional analysis or interacting with the
affected vendor.

The average consumer does not have the time or the expertise to sift
through hundreds of information pieces from dozens of sources.

> > - LACK OF COMPLETE CROSS-REFERENCING BETWEEN RVI SOURCES.
>
> read: coley does not like it that there is no officially recognized
> usa funded database (NOT a dictionary) to rule em all and manipulate
> statistics.

Of course statistics can be manipulated any way you want to.  But CVE is,
as far as I know, the only RVI that has attempted to document and publish
at least part of its editorial policy, in the form of its content
decisions - *and* those content decisions received heavy review and
feedback by members of the CVE Editorial Board.

CVE and, I believe, OSVDB would like to achieve complete
cross-referencing.  This is a laudable goal but more resource-intensive
than currently allowed.  Most other RVI's cannot do this because they
compete with each other.

I personally want solid, accurate, complete vulnerability information that
can be independently reviewed and replicated.  In the areas where most
researchers fail to do this, RVI sources can help.

- Steve
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/