It seems that this week’s blog post on the 10 Most Vulnerable Vendors led to some questions about the Skybox Vulnerability Database.  Here is some additional information about our database, with details about our content and methodology provided by the manager of our Skybox Research Labs team.

As a risk analytics company, our research focus is on vulnerabilities that create a security risk management challenge for enterprise-class networks.  We consolidate vulnerability data for more than 1,000 products that are used extensively in enterprise network environments, including servers and desktop operating systems, business apps, databases, desktop apps, runtime frameworks, networking hardware and software, security software, and more.  For our enterprise customers, this data selection is entirely appropriate, as we adjust for the products and their corresponding vulnerabilities that are most relevant to a large enterprise network.

We have a dedicated research team that aggregates a superset of vulnerabilities from leading public and private security data sources.  The Skybox Research Lab manually analyzes each vulnerability entry from multiple databases to ensure accuracy, and add information needed for the risk analytics engines used by our products.  This manual analysis often reveals inconsistencies between data sources, or additional information that needs to be considered to ensure a more accurate severity ranking, list of affected products, or vendor solutions for each vulnerability.  You can view our list of sources in the Not all Vulnerability Research is Alike blog post from January 10, 2014.  We do include links to the OSVDB, but do not include it as a regular source in our analysis.

Our vulnerability database is CVE compliant and implements CVSS V2 standard.   We use the CVE number to cross-reference among the various sources.  In addition, our database contains vulnerabilities that do not have a CVE reference.

The severity rating is based on Skybox Security’s risk modeling (CVSS V2 compliant) which takes various parameters into account. Critical vulnerabilities are those that get CVSS Base score 9 or higher.  These are typically remote code execution or memory corruption vulnerabilities, which means the attacker can get full control over the affected machine, as opposed to other effects like DoS which are usually considered less severe.

To illustrate, here is an example of one of our database entries, this one for CVE-2013-1324.  We include extensive vulnerability information for each entry:  description, ID from all available sources, CVE if it exists, affected products and versions including framework dependencies, published solutions (remediation and workarounds), severity, vulnerability effect and attack preconditions, exploit difficulty, authentication requirements, and external URLs for additional information. The screen shots below show a portion of a database entry for a vulnerability, minus the additional attack vector data such as preconditions and exploit difficulty used by our risk analytics and attack simulation engines.