Suggestion : Providing the DATE for exploits

[mjreilly at wam.umd.edu (Michael James Reilly)]

Just came across these messages while catching up on my Metasploit email.

I would make sure that the Metasploit team agrees with OSVDB's policy for 
setting disclosure dates before deciding to use their dates.  I have 
worked on ICAT and the National Vulnerability Database (NVD) at NIST, and 
the dating scheme they use has actually changed over the years (used to be 
we'd search for the earliest disclosure date we could find; now we just 
tag them with the date that we get the vulnerabilities from the CVE 
folks).

Also, since there is not a 1:1 corresondence between all vulnerabilities 
and exploits (some exploits apply to more than one vulnerability, 
depending on the way those vulns were cataloged) some modules may have 
more than one date in OSVDB...

All in all, I think it is better for Metasploit to maintain their own 
dates if possible.

  - Michael Reilly

On Sun, 2 Oct 2005, H D Moore wrote:

> Since the OSVDB [osvdb.org] already tracks the vulnerability disclosure
> date, all we need to do is add the appropriate references and write an
> auto-retrieval system. Does anyone have a strong reason for tracking the
> module release date as well?
>
> -HD
>
> On Sunday 02 October 2005 13:48, H D Moore wrote:
> > Unless someone volunteers to create and maintain this information for
> > the entire exploit set, it probably won't end up in a release.  Any
> > takers?
> >
> > -HD
> >
> > On Sunday 02 October 2005 12:14, Nagareshwar Talekar wrote:
> > > Though its some additional work....it will add great value to the
> > > MSF.
> > >
> > > Looking for the dates in next release :)