[TECH] Total effort of vulnerability database teams
For those of you who lead vulnerability database teams (or research
teams who maintain a database as part of their work), I was wondering:
approximately how many "staff years" support your vulnerability
database efforts per year, including data collection, research,
writing, and editing? (Please include your own related activities).
If you can also provide separate figures for any validation you may do
(e.g. exploit creation/verification), that would be great.
I'm asking because I'm trying to get a notion of how well CVE is
"producing" relative to its rough equivalents in industry. We've got
about 2.5 staff years per year, but our "validation" step is mostly
limited to searching for vendor acknowledgement, then waiting to see
how the Board votes ;-)
Feel free to send me a private response if you wish.