Wanna Date?

No, this isn’t some odd contest with a disappointing reward. Date an OSVDB moderator! *shudder*

Think of dates in the context of vulnerability disclosure. Think of how many dates we don’t know, even in the more formal advisories (some with time lines even). OSVDB currently tracks three dates: Vulnerability Published, Vulnerability Discovered, Exploit Published. We have additional dates that we will add to the system as developer time permits, but unfortunately most vulnerabilities don’t come with the information we need. In a perfect disclosure world, each vulnerability posted would come with a robust timeline:

  1. Vulnerability Discovered
  2. Disclosed to Vendor
  3. Vendor Acknowledgement
  4. Vendor Patch
  5. Public Disclosure

This would allow VDBs to track better metrics, including vendor response time, patch development time and more. Are there more dates that would be relevant and of interest?

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: