[VIM] interesting thought

Steven M. Christey coley at linus.mitre.org
Fri May 19 15:56:20 EDT 2006


CVE has a "vendor acknowledged" field that we don't make public and don't
always populate.  Data is less complete from around 2002 and earlier.  We
do not record solution dates.

Below is a totally crude set of numbers, just to give you an idea of the
ranges, and so you can see the variety of values that we use for the
field.  Some of them need to be normalized.

In the past, I've only seen about 50% provable acknowledgement, and that
still seems to hold.

This data is literally from a grep of a raw CVE data file, but I don't
have the time right now to do something a little better.

> of course, this also requires the data to be kept up to date pretty
> hardcore, but still.

Yes, that's a toughie.  The way CVE content development currently works,
we do not have a consistent way of catching vendor acknowledgement if it's
not available at the time we create something.

- Steve



total values: 17215

 8571 unknown  (either "no" or "unprovable" or "analyst forgot to say yes")
 7674 yes
  970 no


7392 unknown
4815 yes advisory
1434 yes
 924 unknown discloser-claimed
 822 no
 707 yes changelog
 334 yes followup
 172 unknown vague
 149 yes patch
  67 no disputed
  52 yes via-email
  49 yes forum
  35 yes cve-vote
  31 no vendor-inactive
  21 unknown claimed
  13 unknown foreign
  11 yes bug-report
  11 no site-restricted
   8 yes readme
   8 yes email
   6 unknown reliable-discloser-claimed
   6 no claimed-unresponsive
   5 yes email-followup
   5 no vendor-missing
   5 no sent-inquiry
   4 yes via-phone
   4 yes post
   4 yes cve-consult
   4 unknown disputed
   4 no unsupported
   3 yes claimed
   3 unknown vague advisory
   3 unknown poster-claimed
   3 unknown claimed-patch
   3 no product-discontinued
   2 yes web-page
   2 yes vdb-email
   2 yes news
   2 yes forward
   2 yes diff
   2 yes change-log
   2 yes by-design
   2 yes blog
   2 yes announcer-claimed
   2 unknown tp-claimed
   2 unknown patch-claimed
   2 unknown inaccessible
   2 unknown claimed patch
   2 unknown advisory-unclear
   2 no search-failed
   2 no abandoned
   1 yes web-site
   1 yes vote
   1 yes via-reliable-source
   1 yes user-group
   1 yes trusted-claimed
   1 yes to-trusted-party
   1 yes to-board-member
   1 yes severity disputed
   1 yes remote
   1 yes release-notes
   1 yes press
   1 yes news-item
   1 yes in the referenced bugtraq announcement
   1 yes in SUNBUG:4115685
   1 yes implied-followup
   1 yes implied
   1 yes forum-post
   1 yes external-post
   1 yes email-announce
   1 yes email-advisory
   1 yes distributor
   1 yes developer-post
   1 yes by-implication
   1 yes by-email
   1 yes bulletin-board
   1 yes bugzilla report
   1 yes bug report
   1 yes bboard
   1 yes advuisory
   1 yes Release Notes
   1 yes README
   1 yes FAQ
   1 yes Bugzilla report
   1 yes BugTracker
   1 unknown ven-quoted
   1 unknown vague discloser claimed
   1 unknown unsopported
   1 unknown reliable-claimed-yes
   1 unknown reliable-claimed
   1 unknown poster claimed, generic comment
   1 unknown followup claimed
   1 unknown followup
   1 unknown disclosure-claimed
   1 unknown discloser-claimed patch
   1 unknown discloser-claimed fixed
   1 unknown discloser-claimed a reply to the discloser claimed MS said it was not a problem
   1 unknown discloser ignored
   1 unknown claimed patch in followups by users
   1 unknown claimed notified
   1 unknown claimed notification
   1 unknown claimed informed
   1 unknown claimed dispute
   1 unknown changelog is too vague
   1 unknown ack-vague
   1 no vendor-unknown
   1 no vendor inaccessible
   1 no rep-attempted
   1 no possibly-obsolete
   1 no old
   1 no not-supported
   1 no not-maintained
   1 no disputed disputed as poor configuration
   1 no discontinued
   1 no discloser claims dispute
   1 no discloser attempted contact
   1 no contact-attempted


More information about the VIM mailing list