|
|
|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: Public availability of CMEX
Everyone, While CMEX looks like it could be a "real" vulnerability database, I don't think it will ever be a competitor to any "good" vulnerability database. The purpose of CMEX is twofold: - to support maintenance of the CVE - to support looking up a specific vulnerability It is *not* to provide a sysadmin or researcher or other "end user" with a wealth of information. It is only useful to CVE mappers and maintainers. CMEX will never have fields for things like risk, impact, software version numbers or affected operating systems (except when used in the description field to discriminate between vulnerabilities), classification (beyond the extremely broad categories that guide content decisions), exploits, fix information, or even a complete set of references - i.e., the "meat" of most vulnerability databases. While the keywords certainly help searchability, they are based exclusively on the descriptive text and are primarily useful for looking up the name of a specific vulnerability. A user couldn't retrieve, say, "all NT vulnerabilities" or "all vulnerabilities that give root access" or "all buffer overflow" problems. The categories are extremely broad and would not help an "end user" in any real way, except to help narrow the search. IMHO, the only CMEX data that I see as having any "questionable" overlap with a real vulnerability database are the categories and references. The references are inherently incomplete, and the categories are too high level for most classification purposes (consider how "software flaw" covers Krsul and Aslam's theses in one fell swoop). Thus I don't think there's enough real data in CMEX to enable it to "compete" with other databases. - Steve
|
||||
