Alexander Sotirov said: >Descriptions of vulnerabilities, especially ones that are found in the >wild, should include enough information to allow researchers to >uniquely identify the new vulnerability and differentiate it from all >other bugs, both known ones and 0days. I say this periodically, e.g. in [1], but it's probably worth expanding here. In CVE, we've found that we need the following details in order to be reasonably certain whether two issues are the same or not: 1) bug type DIFFICULTY: terminology like "malformed data structure handling" and "memory corruption" do not indicate bug type. There are many ways that input can be "malformed," and more precise terminology is desperately needed in this area. People can contact me off-list for thoughts on the topic. 2) affected versions / patch levels DIFFICULTY: often not known, especially without coordinated disclosure 3) attack vectors (input parameters/fields, programs) *and* affected components where the issue is exposed. DIFFICULTY: often omitted from reports. Having a source diff doesn't necessarily tell you what the vectors are. A vendor can fix the component and you can't tell if it matches up with the vectors listed by the original researcher. 4) For correlation purposes (e.g. figuring out if a vendor fix is for vuln X or vuln Y), we find that time of disclosure, researcher name, and cross-references are valuable. DIFFICULTY: often omitted from reports. Items 1 through 3, however, are often enough information to construct an exploit. This is probably a natural result of having to distinguish between vulnerabilities. >Without that level of detail, you end up with this: >http://www.securityfocus.com/archive/1/443288 Think of the amount of work that must have gone into that analysis, and you can understand how these essential details can be missed on a regular basis, in all sorts of disclosures. This is one example of how "post-disclosure analysis" is stylistically different from original research, but has its own technical demands. - Steve [1] "Making distinctions between similar-looking vulnerabilities" http://seclists.org/bugtraq/2004/Nov/0084.html
