RE: Counting on CVEs

[security curmudgeon <jericho@attrition.org>]

: ?In the beginning??we talked about needing 1 CVE number to represent 
: integer overflow, or another for insufficient parsing?clearly that never 
: stuck. But equally, it would seem that some vendors would like to assign 
: a CVE per ?threat?, which should also have never stuck.

There is CWE for that: http://cwe.mitre.org/

: I?m unaware of > 10,000 new vulnerabilities per year, at least not in 
: what I would consider ?new vulnerabilities?. That?s one heck of a lot of 
: lines of code, but if you?re counting vulnerabilities in Android Apps, 
: then I could also see that number be incredibly low. So perhaps the 
: issues aren?t with vulnerabilities, but instead with exposures??

OSVDB has 10,895 entries for 2006. Note, that OSVDB abstracts very 
differently than CVE or any other VDB currently, so I would guess we're 
the only ones who have hit that mark.

There is additional discussion on CVE handling the #### issue on the 
CERT-run vrdx mail list.