Vulnerability Development mailing list archives

Re: vulnerability database

From: jdyson () TECHREPORTS JPL NASA GOV (Jay D. Dyson)
Date: Thu, 17 Feb 2000 15:08:27 -0800


-----BEGIN PGP SIGNED MESSAGE-----

On Wed, 16 Feb 2000, Ben Valenti wrote:

I am in the process of creating a database of vulnerabilities/exploits.
I was wondering if anyone, who as attempted such a task, could give me
some description of their past experiences.  To start, advice/tips on
how to effectively structure the schema and where some good sources of
data for DB population can be found.  Also, are there any publically
available vuln./exp. DB's either provided by commercial businesses or
alternative sources?


        SecurityFocus has a very good listing on their website.  I
recommend that highly.  For my own part, my home-grown vuln/exploit
database contains the following fields:

        Date entered:
        Date of notice:
        Source: (Bugtraq, NTBugtraq, Vuln-Dev, etc)
        Author:
        OS affected:
        OS version affected:
        Hardware platform affected:
        Service/application affected:
        Service/application version affected:
        Type: Advisory | Bug | Exploit | Trojan | Virus | Worm | Patch
        Risk: DoS | Data Corruption | Unauthorized Access | Root Compromise
        Status: Reported | Confirmed
        Severity: High | Medium | Low
        Vulnerability Type: Local | Remote | SEP*
        Exploit method / code:
        Suggested Fix / Workaround:
        Vendor Patch ID:
        Vendor URL:
        Keywords:
        Resolved on:
        Resolved by:
        Notes:

* SEP = Someone Else's Problem, such as poor crypto in a commercial
        product for which I have no use.

        The delineation of this data as described above works well for me
when it comes to quickly looking up vulnerabilities based on critical
elements.  It also helps me keep track of vulnerabilities that have been
reported and never resolved in a satisfactory manner by the vendor (the
Sun ufsdump/ufsrestore patch for Solaris 2.5.1 comes to mind).

- -Jay

   (                                                             ______
   ))   .-- "There's always time for a good cup of coffee." --.   >===<--.
 C|~~| (>-- Jay D. Dyson -- jdyson () techreports jpl nasa gov --<) |   = |-'
  `--'  `- It's a thankless job, but I've got Karma to burn. -'  `-----'

-----BEGIN PGP SIGNATURE-----
Version: 2.6.2
Comment: Email me for my current public key.

iQCVAwUBOKx/fozYnY/37fGZAQFM6gP/Vj5+V9H60Etl/yvv4w6bBMETTJatL2Y1
RLdiGOh52KoviodHb51tXa7HNeldFj8rYWqhlMXWJgIEP8+x+r6b5dndGxOFMq+y
3uVHrDSHPaKGmgWQzK63mwLyOl9mbPB/tr+zFmk7LPP27IuT85FG9pMxTj5SYxy0
SpEJ2ldtgjU=
=YodI
-----END PGP SIGNATURE-----

Current thread:

Re: WINS attack?, (continued)
- Re: WINS attack? Blue Boar (Feb 10)
- Re: WINS attack? John Hall (Feb 11)
- IE Java Nicolas Rachinsky (Feb 12)
- Unreal Webserver Adam Boileau (Feb 13)
  - Re: Unreal Webserver Arturo (Feb 14)
  - vulnerability database Ben Valenti (Feb 16)
    - Re: vulnerability database H D Moore (Feb 17)
    - Re: vulnerability database Yiorgos Adamopoulos (Feb 17)
    - Re: vulnerability database Iván Arce (Feb 17)
    - Re: vulnerability database Dragos Ruiu (Feb 17)
    - Re: vulnerability database Jay D. Dyson (Feb 17)
    - Eudora incoming email affects behavior Thomas Kluegel (Feb 17)
    - Re: Eudora incoming email affects behavior Jay D. Dyson (Feb 18)
    - Re: Eudora incoming email affects behavior Bluefish (Feb 29)