OSVDB’s classification system is designed to categorize certain attributes of a vulnerability. This facilitates custom searches by a specific attribute, helps researchers develop metrics and gives a better picture of the vulnerability landscape. Until now, we’ve tracked if an exploit is ‘available’, ‘unavailable’, ‘rumored / private’ or ‘unknown’. While this was a good start for exploit status, it has quickly outgrown usefulness. Today, OSVDB overhauled the exploit classification to use the following:
- exploit public – A working exploit is publicly available.
- exploit rumored – An exploit is rumored to exist, but cannot be confirmed.
- exploit private – An exploit exists, but is not available to the public or in a commercial framework (e.g., vulnerability pre-disclosure groups like iDefense or ZDI, researcher developed but unreleased).
- exploit commercial – An exploit has been created and is available to customers in a commercial framework such as Canvas or CORE Impact.
- exploit unknown – The status of a working exploit is unknown.
In addition, we are moving one existing classification to the ‘exploit’ column since it is relevant to this category:
- exploit wormified – An exploit has been crafted to spread via ‘worm’ or ‘virus’.
As always, if you have suggestions or questions about the classification system, please mail moderators[at]osvdb.org!
In addition to overhauling the ‘exploit’ classification, additional touch-ups and reorganization has been done to the classification system. For volunteers that help mangle entries, watch out as items have shifted in flight. For users of OSVDB, these will be mostly cosmetic changes and should not impact searching.
- Disclosure column has been re-ordered
- Location column has been re-ordered
- Several locations have been touched-up. Use of ‘required’ is consistent now.
- Context-dependent – Moved from OSVDB to Location
- Mobile Phone expanded to include ‘Hand-held’ devices that may not be a phone
- Patch now includes RCS as some fixes are only available from CVS, SVN, etc.
- Removed ‘best practice’, no longer useful. We do not support SANS Top 20 x-refs any longer, since they don’t support the “20″ in the Top 20.
- Removed ‘no solution’. Until we have more volunteers and timely updates for all entries, ‘solution unknown’ is more accurate.
- Removed ‘hijacking’ attack type. Obsolete, not really an attack type of its own.