Vulnerability Development mailing list archives

Re: vulnerability database

From: core.lists.exploit-dev () CORE-SDI COM (Iván Arce)
Date: Thu, 17 Feb 2000 16:13:20 -0300


Ben Valenti wrote:


I am in the process of creating a database of vulnerabilities/exploits.
I was wondering if anyone, who as attempted such a task, could give me
some description of their past experiences.  To start, advice/tips on
how to effectively structure the schema and where some good sources of


How to structure the schema is directly related to what use you'll make
of the db. 
One thing i'd do no matter what the db will be used for, is to isolate
the purely technical information in just a few tables, here im assuming
that the db is not containing just vuln/exploit information but other 
things that relate those to the real world. 
Its not enough (at least for my use) to know that a vulnerability exists
if i dont have precise information of what systems are vulnerable
(including hardware, os versions, configuration quirks, etc) and how
to correct the problem (patches, workarounds, changes to be made, etc).
Also, i'd expect from such a db some metrics on popularity of exploit
code and skills needed to exploit it.
OTOH, the common usage of a 'risk factor' associated with
vulnerabilities
makes no sense, the risk and impact is always dependant of the 
particular characteristics of the organization with the vulnerable
systems.

data for DB population can be found.  Also, are there any publically
available vuln./exp. DB's either provided by commercial businesses or
alternative sources?


checkout:
http://www.securityfocus.com/vdb
http://cve.mitre.org
http://xforce.iss.net

theres surely others im forgeting about
-ivan

-- 
"Understanding. A cerebral secretion that enables one having it to know
 a house from a horse by the roof on the house,
 It's nature and laws have been exhaustively expounded by Locke,
 who rode a house, and Kant, who lived in a horse." - Ambrose Bierce

==================[ CORE Seguridad de la Informacion S.A. ]=========
IvÃ¡n Arce
Presidente
PGP Fingerprint: C7A8 ED85 8D7B 9ADC 6836  B25D 207B E78E 2AD1 F65A
email: iarce () core-sdi com
http://www.core-sdi.com
Pte. Juan D. Peron 315 Piso 4 UF 17
1038 Capital Federal
Buenos Aires, Argentina.              Tel/Fax : +(54-11) 4331-5402
Casilla de Correos 877 (1000) Correo Central
=====================================================================

--- For a personal reply use iarce () core-sdi com

Current thread:

WINS attack? Bryce Walter (Feb 10)
- Re: WINS attack? Seth R Arnold (Feb 10)
- Re: WINS attack? Blue Boar (Feb 10)
- Re: WINS attack? John Hall (Feb 11)
- IE Java Nicolas Rachinsky (Feb 12)
- Unreal Webserver Adam Boileau (Feb 13)
  - Re: Unreal Webserver Arturo (Feb 14)
  - vulnerability database Ben Valenti (Feb 16)
    - Re: vulnerability database H D Moore (Feb 17)
    - Re: vulnerability database Yiorgos Adamopoulos (Feb 17)
    - Re: vulnerability database Iván Arce (Feb 17)
    - Re: vulnerability database Dragos Ruiu (Feb 17)
    - Re: vulnerability database Jay D. Dyson (Feb 17)
    - Eudora incoming email affects behavior Thomas Kluegel (Feb 17)
    - Re: Eudora incoming email affects behavior Jay D. Dyson (Feb 18)
    - Re: Eudora incoming email affects behavior Bluefish (Feb 29)