Vulnerability Databases: Classification and Registry

What publicly available Vulnerability Databases do we have? Well, I can only say that there are a lot of them and they are pretty different. Here I make an attempt to classify them.

It’s quite an ungrateful task. No matter how hard you try, the final result will be rather inaccurate and incomplete. I am sure someone will be complaining. But this is how I see it. If you want to add or change something feel free to make a comment bellow or email [email protected].

The main classifier, which I came up with:

• There are individual vulnerability databases in which one identifier means one vulnerability. They try to cover all existing vulnerabilities.
• And others are security bulletins. They cover vulnerabilities in a particular product or products. And they usually based on on patches. One patch may cover multiple vulnerabilities.

I made this diagram with some Vulnerability Databases. Note that I wanted to stay focused, so there are no exploit DBs, CERTs, lists of vulnerabilities detected by some researchers (CISCO Talos, PT Research, etc.), Media and Bug Bounty sites.

For these databases the descriptions of vulnerabilities are publicly available on the site (in html interface or downloadable data feed), or exist in a form of paid Vulnerability Intelligence service (for example, Flexera).

On one side there are databases of individual vulnerabilities, the most important is National Vulnerability Database. There are also Chinese, Japanese bases that can be derived from NVD or not.

On the other side we have security bulletins, for example RedHat Security Advisories.

And in the middle we have a Vulnerability Databases, for which it is not critical whether they have duplicated vulnerability IDs or not.

These are the Vulnerability Databases of aggregators, vulnerability scanners, security content databases. We can say that CIS OVAL or OpenVAS NVTs are the forms of public security content. Russian FSTEC BDU Vulnerability Database also has individual vulnerabilities and security bulletins.

Classification

I have the following groups:

1. Individual Vulnerabilities
2. Individual Vulnerabilities -> Government
3. Individual Vulnerabilities -> Commercial Vulnerability Scanners and Aggregators
4. Mixed Individual Vulnerabilities and Security Bulletins -> Commercial Vulnerability Scanners and Aggregators
5. Mixed Individual Vulnerabilities and Security Bulletins -> Government
6. Mixed Individual Vulnerabilities and Security Bulletins -> Open and formalized detection rules
7. Security Bulletins
8. Security Bulletins -> All software in repository

Registry

I was trying to give a link on the same “Drupalgedon2” CVE-2018-7600 vulnerability in examples, where it was possible. I mentioned the ways to grab all the entries from particular Vulnerability Database in the Aggregation column. Most of this methods are provided by the owner of the Database (“official”) or in a form of Vulners collections.

Other Vulnerability Databases

Of course this table is far from being complete. It’s a basic structure, just to give an overall picture.

You can find more:

• Different Vulnerability Databases in Vulnerability Database Catalog by FIRST.org.
• Security Bulletins for different Operating Systems and Software at Vulners.com stats page (blocks “Unix” and “Software”).
• Bases of OVAL content listed at MITRE OVAL Product List (it is in archive state; see the type “Definition Repository”)

Do you know any other interesting sources about known software vulnerabilities? Feel free to mention them in the comments bellow.