In a research paper published at the 2015 IEEE Security & Privacy Symposium we have used Symantec's WINE dataset to investigate the vulnerability life-cycle of 10 client applications: 4 browsers (Chrome, Firefox, Opera, Safari), 2 multimedia players (Adobe Flash Player, Quicktime), an email client (Thunderbird), a document reader (Word), and a networking tool (WireShark).
During this work we found some inconsistencies in the data of the National Vulnerability Database (NVD). In this page we provide the data detailing those inconsistencies. We hope that other researchers will benefit from this data and that the it will be incorporate into NVD soon.
The NVD Fixes section below has one file per application. Each file has one row per vulnerability identified by their CVE identifier (e.g., CVE-2010-0231) and the patches to be applied to the NVD data. If a vulnerable version is missing in the NVD data the sign ++ will appear before the version number (e.g., ++8.2) indicating that it should be added into NVD's data. If a version is reported to be vulnerable in NVD, but it is not, the sign -- will appear before the version number (e.g., --8.1) indicating that it should be removed.
[Oakland 2015] The Attack of the Clones: A Study of the Impact of Shared Code on Vulnerability Patching
Antonio Nappa, Richard Johnson, Leyla Bilge, Juan Caballero, Tudor Dumitras.
In Proceedings of the 36th IEEE Symposium on Security and Privacy. San Jose, CA, USA. May, 2015.
This research was partially supported by the Spanish Government through Grant TIN2012-39391-C04-01, the Regional Government of Madrid through the N-GREENS Software-CM proyect S2013/ICE-2731, and a Juan de la Cierva Fellowship for Juan Caballero.