Vulnerability Development mailing list archives
Re: vulnerability database
From: jdyson () TECHREPORTS JPL NASA GOV (Jay D. Dyson)
Date: Thu, 17 Feb 2000 15:08:27 -0800
-----BEGIN PGP SIGNED MESSAGE----- On Wed, 16 Feb 2000, Ben Valenti wrote:
I am in the process of creating a database of vulnerabilities/exploits. I was wondering if anyone, who as attempted such a task, could give me some description of their past experiences. To start, advice/tips on how to effectively structure the schema and where some good sources of data for DB population can be found. Also, are there any publically available vuln./exp. DB's either provided by commercial businesses or alternative sources?
SecurityFocus has a very good listing on their website. I recommend that highly. For my own part, my home-grown vuln/exploit database contains the following fields: Date entered: Date of notice: Source: (Bugtraq, NTBugtraq, Vuln-Dev, etc) Author: OS affected: OS version affected: Hardware platform affected: Service/application affected: Service/application version affected: Type: Advisory | Bug | Exploit | Trojan | Virus | Worm | Patch Risk: DoS | Data Corruption | Unauthorized Access | Root Compromise Status: Reported | Confirmed Severity: High | Medium | Low Vulnerability Type: Local | Remote | SEP* Exploit method / code: Suggested Fix / Workaround: Vendor Patch ID: Vendor URL: Keywords: Resolved on: Resolved by: Notes: * SEP = Someone Else's Problem, such as poor crypto in a commercial product for which I have no use. The delineation of this data as described above works well for me when it comes to quickly looking up vulnerabilities based on critical elements. It also helps me keep track of vulnerabilities that have been reported and never resolved in a satisfactory manner by the vendor (the Sun ufsdump/ufsrestore patch for Solaris 2.5.1 comes to mind). - -Jay ( ______ )) .-- "There's always time for a good cup of coffee." --. >===<--. C|~~| (>-- Jay D. Dyson -- jdyson () techreports jpl nasa gov --<) | = |-' `--' `- It's a thankless job, but I've got Karma to burn. -' `-----' -----BEGIN PGP SIGNATURE----- Version: 2.6.2 Comment: Email me for my current public key. iQCVAwUBOKx/fozYnY/37fGZAQFM6gP/Vj5+V9H60Etl/yvv4w6bBMETTJatL2Y1 RLdiGOh52KoviodHb51tXa7HNeldFj8rYWqhlMXWJgIEP8+x+r6b5dndGxOFMq+y 3uVHrDSHPaKGmgWQzK63mwLyOl9mbPB/tr+zFmk7LPP27IuT85FG9pMxTj5SYxy0 SpEJ2ldtgjU= =YodI -----END PGP SIGNATURE-----
Current thread:
- Re: WINS attack?, (continued)
- Re: WINS attack? Blue Boar (Feb 10)
- Re: WINS attack? John Hall (Feb 11)
- IE Java Nicolas Rachinsky (Feb 12)
- Unreal Webserver Adam Boileau (Feb 13)
- Re: Unreal Webserver Arturo (Feb 14)
- vulnerability database Ben Valenti (Feb 16)
- Re: vulnerability database H D Moore (Feb 17)
- Re: vulnerability database Yiorgos Adamopoulos (Feb 17)
- Re: vulnerability database Iván Arce (Feb 17)
- Re: vulnerability database Dragos Ruiu (Feb 17)
- Re: vulnerability database Jay D. Dyson (Feb 17)
- Eudora incoming email affects behavior Thomas Kluegel (Feb 17)
- Re: Eudora incoming email affects behavior Jay D. Dyson (Feb 18)
- Re: Eudora incoming email affects behavior Bluefish (Feb 29)