[VIM] Vulnerability fixed in E-gold (fwd)

[Steven M. Christey]

On Thu, 16 Mar 2006, security curmudgeon wrote:

> I know the VDB's don't track site specific bugs for the most part

I'm starting to think that this is a bit of an issue, from the respect of
monitoring the space of "all known" vulnerabilities, no matter where they
live or how ephemeral they are.  It feels like we're missing out on a bit.
The existing DBs out there do have good reasons for not tracking these,
but it would be a good thing if someone did it.

> Has anyone else considered doing this in any fashion? What are the pros
> and cons in your eyes?

The con would probably be the sheer amount of issues (XSS would be king,
and high risk in this context).  I imagine there would be high analytical
expenses to distinguish a site-specific issue from a problem in a third
party package that the site is using.  Actually, this expense is starting
to show up in CVE, just so we can decide whether or not to include
something.

The pros would be similar to the pros of disclosure in distributed
software, although the same cons would be inherited too.  e.g. someone
might hear "XSS in Google" and assume there was some major obvious
mistake, even if it required a really obscure attack that took advantage
of broken browsers and non-standard behavior.

I VERY loosely track these kinds of issues if they're posted to Bugtraq,
but they're not in any central location.  Rather, I don't completely throw
away the reference.  CVE will be making some internal process changes that
might allow this tracking to happen a little more cleanly, but I'm not
sure when that would happen.

- Steve