0

I'm looking for a database with all the noteworthy unix programs with a timeline of vulnerabilities found in that individual product in some categories (remote/local, DoS, privilege elevation, data execution), and and average, how often these things happen in a yearly basis of each individual product.

vbence
  • 213
  • 2
  • 12
  • You might like to describe what you're trying to achieve, rather than bring us in halfway through your problem solving train of thought. – womble Jul 17 '11 at 10:07
  • I'm trying to take an objective look at the security of my system. Instead of blurry views of some individuals, I want to base my evaluation on solid facts. If I have a range of possible products (firewalls for example), I want to see 4 numbers next to each product, which poses more risk. - And the same thing between different kinds of software. I want to answer questions like: is my ftp server more secure than my webserver? – vbence Jul 17 '11 at 10:48
  • Good luck with *that* little project. The upside is that you'll have wonderfully secure systems, because you'll never get time to actually set anything up... – womble Jul 17 '11 at 11:53
  • So... why the -1? – vbence Jul 19 '11 at 16:38

2 Answers2

4

Something like http://cve.mitre.org/ ?

womble
  • 96,255
  • 29
  • 175
  • 230
  • Thanks. I see this as a vulnerability archive. Is there any way to query this database in some way similar to what I described? (Average vulnerabilities found / year for different types). – vbence Jul 17 '11 at 10:51
  • Yep, download the CVE list and go to town. – womble Jul 17 '11 at 11:54
  • Thanks, I've downloaded the CSV verson, the problem is that it is not properly tagged. Text searching is not an option, just because a product's name is present in the description it soes not neccesarily mean that the given product is vulnerable. Also no means to check the severity of each vulnerability. – vbence Jul 17 '11 at 12:10
  • @vbence - it is the closest thing industry has. You could write a more appropriate search analysis function; I think a lot of folks would thank you for it :-) – Rory Alsop Jul 18 '11 at 14:51
1

It seems like Portaudit has the best indexed list this far. It is tagged with one of the two pieces of information I need: you can identify which package (product) has the vulnerability.

It has no information about the severity, or at least I could not find it this far.

http://www.freebsd.org/doc/handbook/security-portaudit.html

womble
  • 96,255
  • 29
  • 175
  • 230
vbence
  • 213
  • 2
  • 12