Four databases were surveyed: The Computer Emergency Response Team
(CERT) Coordination Center's database, the National Vulnerability
Database (NVD), the Open-Source Vulnerability Database (OSVDB), and
the Symantec Vulnerability Database. (SecurityFocus is owned by
Symantec.)
The number of flaws cataloged by each database in 2005 varied widely,
because of differing definitions of what constitutes a vulnerability
and differing editorial policy. The OSVDB - which counted the highest
number of flaws in 2005 at 7,187 - breaks down vulnerabilities into
their component parts, so what another database might classify as one
flaw might be assigned multiple entries. SecurityFocus had the lowest
count of the vulnerabilities at 3,766.
The variations in editorial policy and lack of cross-referencing
between databases as well as unmeasurable biases in the research
community and disclosure policy mean that the databases - or refined
vulnerability information (RVI) sources - do not produce statistics
that can be meaningfully compared, Steve Christey, the editor of the
Common Vulnerability and Exposures (CVE), wrote in an e-mail to
security mailing lists on Thursday. The CVE is a dictionary of
security issues compiled by The MITRE Corp., a government contractor
and nonprofit organization.
