[Owasp-topten] 2010 RC1 - Sources of Stats

Steven M. Christey coley at linus.mitre.org
Mon Dec 28 19:33:27 EST 2009


On Tue, 29 Dec 2009, Christian Heinrich wrote:

> I believe Andrew ver der Stock sampled BUGTRAQ but I may be incorrect
> due to my *brief* reading of the mailing list archives.

One thing I forget to mention when I talked about how CVE effectively 
samples Bugtraq data, is that none of the established vulnerability DBs 
track "site-specific" vulnerabilities, e.g. a CSRF in Facebook.  These 
kinds of reports show up on Bugtraq and Full-Disclosure, and on sites like 
xssed.com (which was out-of-date last time I checked), but I don't know 
what stats are available, if any.

- Steve


More information about the Owasp-topten mailing list