[Dailydave] Exploits matter.

[security curmudgeon]

Based on discussion from this thread and internal chat:

http://blog.osvdb.org/2009/10/22/classification-exploit-status-overhaul#

Classification: Exploit Status Overhaul

Posted by jericho 31 minutes ago
OSVDB's classification system is designed to categorize certain attributes 
of a vulnerability. This facilitates custom searches by a specific 
attribute, helps researchers develop metrics and gives a better picture of 
the vulnerability landscape. Until now, we've tracked if an exploit is 
'available', 'unavailable', 'rumored / private' or 'unknown'. While this 
was a good start for exploit status, it has quickly outgrown usefulness. 
Today, OSVDB overhauled the exploit classification to use the following:

    * exploit public - A working exploit is publicly available.
    * exploit rumored - An exploit is rumored to exist, but cannot be 
confirmed.
    * exploit private - An exploit exists, but is not available to the 
public or in a commercial framework (e.g., vulnerability pre-disclosure 
groups like iDefense or ZDI, researcher developed but unreleased).
    * exploit commercial - An exploit has been created and is available to 
customers in a commercial framework such as Canvas or CORE Impact.
    * exploit unknown - The status of a working exploit is unknown.

In addition, we are moving one existing classification to the 'exploit' 
column since it is relevant to this category:

    * exploit wormified - An exploit has been crafted to spread via 'worm' 
or 'virus'.

As always, if you have suggestions or questions about the classification 
system, please mail moderators[at]osvdb.org!