Vulnerability Databases

Security relies on understanding the present and past vulnerabilities within your hardware and software stack. Responsible software and hardware companies publish detailed information about known vulnerabilities. However, remember that the number of reported vulnerabilities for a product does never ever reflect its quality.

In fact, a lack of openly published vulnerabilities should raise suspicion, as transparency is a hallmark of trustworthy and secure products. The amount of vulnerabilities you can find for a product is not related to the quality. Distrust products that have no open published vulnerabilities.

• Vulnerability Notes Database.The Vulnerability Notes Database provides information about software vulnerabilities. Vulnerability notes include summaries, technical details, remediation information, and lists of affected vendors.

• National Vulnerability Database - US (aka NVD) This NVD of the US NIST organization is one of the world largest databases. You should hate it, but there are little alternatives that have the same reach. The NVD is the U.S. government repository of standards based vulnerability management data represented using the Security Content Automation Protocol (SCAP). This data enables automation of vulnerability management, security measurement, and compliance. The NVD includes databases of security checklist references, security-related software flaws, misconfigurations, product names, and impact metrics.

• CWE Vulnerability Databases CWE (Common Weakness Enumeration - CWE™) is a community-developed list of common software and hardware security weaknesses. It serves as a common language, a measuring stick for security tools, and as a baseline for weakness identification, mitigation, and prevention efforts. Available on: http://cwe.mitre.org/