[VIM] interesting thought
Steven M. Christey
coley at linus.mitre.org
Fri May 19 15:56:20 EDT 2006
CVE has a "vendor acknowledged" field that we don't make public and don't
always populate. Data is less complete from around 2002 and earlier. We
do not record solution dates.
Below is a totally crude set of numbers, just to give you an idea of the
ranges, and so you can see the variety of values that we use for the
field. Some of them need to be normalized.
In the past, I've only seen about 50% provable acknowledgement, and that
still seems to hold.
This data is literally from a grep of a raw CVE data file, but I don't
have the time right now to do something a little better.
> of course, this also requires the data to be kept up to date pretty
> hardcore, but still.
Yes, that's a toughie. The way CVE content development currently works,
we do not have a consistent way of catching vendor acknowledgement if it's
not available at the time we create something.
- Steve
total values: 17215
8571 unknown (either "no" or "unprovable" or "analyst forgot to say yes")
7674 yes
970 no
7392 unknown
4815 yes advisory
1434 yes
924 unknown discloser-claimed
822 no
707 yes changelog
334 yes followup
172 unknown vague
149 yes patch
67 no disputed
52 yes via-email
49 yes forum
35 yes cve-vote
31 no vendor-inactive
21 unknown claimed
13 unknown foreign
11 yes bug-report
11 no site-restricted
8 yes readme
8 yes email
6 unknown reliable-discloser-claimed
6 no claimed-unresponsive
5 yes email-followup
5 no vendor-missing
5 no sent-inquiry
4 yes via-phone
4 yes post
4 yes cve-consult
4 unknown disputed
4 no unsupported
3 yes claimed
3 unknown vague advisory
3 unknown poster-claimed
3 unknown claimed-patch
3 no product-discontinued
2 yes web-page
2 yes vdb-email
2 yes news
2 yes forward
2 yes diff
2 yes change-log
2 yes by-design
2 yes blog
2 yes announcer-claimed
2 unknown tp-claimed
2 unknown patch-claimed
2 unknown inaccessible
2 unknown claimed patch
2 unknown advisory-unclear
2 no search-failed
2 no abandoned
1 yes web-site
1 yes vote
1 yes via-reliable-source
1 yes user-group
1 yes trusted-claimed
1 yes to-trusted-party
1 yes to-board-member
1 yes severity disputed
1 yes remote
1 yes release-notes
1 yes press
1 yes news-item
1 yes in the referenced bugtraq announcement
1 yes in SUNBUG:4115685
1 yes implied-followup
1 yes implied
1 yes forum-post
1 yes external-post
1 yes email-announce
1 yes email-advisory
1 yes distributor
1 yes developer-post
1 yes by-implication
1 yes by-email
1 yes bulletin-board
1 yes bugzilla report
1 yes bug report
1 yes bboard
1 yes advuisory
1 yes Release Notes
1 yes README
1 yes FAQ
1 yes Bugzilla report
1 yes BugTracker
1 unknown ven-quoted
1 unknown vague discloser claimed
1 unknown unsopported
1 unknown reliable-claimed-yes
1 unknown reliable-claimed
1 unknown poster claimed, generic comment
1 unknown followup claimed
1 unknown followup
1 unknown disclosure-claimed
1 unknown discloser-claimed patch
1 unknown discloser-claimed fixed
1 unknown discloser-claimed a reply to the discloser claimed MS said it was not a problem
1 unknown discloser ignored
1 unknown claimed patch in followups by users
1 unknown claimed notified
1 unknown claimed notification
1 unknown claimed informed
1 unknown claimed dispute
1 unknown changelog is too vague
1 unknown ack-vague
1 no vendor-unknown
1 no vendor inaccessible
1 no rep-attempted
1 no possibly-obsolete
1 no old
1 no not-supported
1 no not-maintained
1 no disputed disputed as poor configuration
1 no discontinued
1 no discloser claims dispute
1 no discloser attempted contact
1 no contact-attempted
More information about the VIM
mailing list