You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
We combine multiple vulnerability sources and try to reconcile them into one vulnerability. Even though, in reality, there's only one vulnerability but disagreement from different data sources result in conflicting details. For example, if NVD says CVE-1 affects version 1 through 5 but GitHub says the same CVE affects version 1 through 4 of a project, which one should we trust ?
Building Trust
There are multiple factors responsible for building trust on a single advisory. The simplest is to trust one advisory publisher over another on every instance. A more involved way would include more factors such as:
Advisory Publishing Platform: Eg, trust NVD advisories more than GitHub advisories
Advisory Publisher: Eg, trust advisories published by @pombredanne more than those published by @Hritik14
References: Eg, increase trust if the advisory uses archlinux.com as a reference
Current scenario
We combine multiple vulnerability sources and try to reconcile them into one vulnerability. Even though, in reality, there's only one vulnerability but disagreement from different data sources result in conflicting details. For example, if NVD says
CVE-1affects version 1 through 5 but GitHub says the same CVE affects version 1 through 4 of a project, which one should we trust ?Building Trust
There are multiple factors responsible for building trust on a single advisory. The simplest is to trust one advisory publisher over another on every instance. A more involved way would include more factors such as:
Updated atvalue which is newer, eg https://www.cve.org/CVERecord?id=CVE-2023-33934The text was updated successfully, but these errors were encountered: