[VIM] Re: discuss: VulnDisco

Steven M. Christey coley at mitre.org
Tue May 17 23:33:54 EDT 2005


>Below you will find a summary of the posts and exploits claimed in
>each pack. That said, how does a vulnerability database handle such
>claims? Should we be creating entries with the details we have? Or
>does this amount of exploit code in one place suggest it may not be
>fully legit?

This question is rather disconcerting for a number of reasons.

Ignoring the ethical questions that it raises regarding disclosure,
the report does not provide sufficient information that

 - could allow a DB to know if the issue is truly 0day (i.e., to make
   sure it's not a duplicate of something that's already in the DB)

 - could allow a vendor to validate and repair the issue

 - could allow a third party to validate and repair the issue


At least, such validation could not be performed without paying the
asking price for the pack ($1200 and up).  The license explicitly says
that the user cannot "disclose any information concerning the Pack or
any information derived from the Pack," which means that even
summarizing the technical details - which are theoretically derivable
from the CANVAS scripts if not already described by the author - is
prohibited.

In terms of quality information, which is needed to have a good
database, VulnDisco is thus less informative to the general public
than posts to unmoderated and unfiltered publication sources such as
the Full-Disclosure list.

Then again, it's not much less informative than security advisories
from some vendors.

I'd say that it's a judgment call on the part of each database owner,
but if the issues are catalogued, then the database should emphasize
strongly that the issues can not be independently verifiable based on
existing information.

A roughly similar thing happened recently with some claims about a DoS
problem in Adobe Acrobat reader (CAN-2005-1347), in which a vague,
detail-free researcher post to SecurityTracker was picked up by
various vulnerability information sources, but the researcher would
not provide details to either Adobe nor SecurityTracker.

On the one hand you can't say for sure whether it's legit or not, but
it seems like a bad precedent is being set.

How's that for a non-answer? ;-)

(I'm still thinking about it for CVE.)

- Steve


More information about the VIM mailing list