After discussing the state of the patchfinder with Mehdi, he feels that we should also look for information regarding "fixes" for known vulnerabilities from the security advisories and possibly other sources that post vulnerability information. I've done some poking around, and it looks like Google's security advisories post fix information. When I say "fix information", I mean whatever instructions on how the user can "fix" the security issue. For example, "Upgrade to version 2.3.51 to patch CVE-2023-1111" or "Close port 18002 to prevent known exploitation of CVE..." and so on. These fixes will often relate to closed-source projects, ones which we currently have no way of collecting patch/fix information on. Between the patch and fix finder, the goal is to collect any and all information regarding resolving known vulnerabilities and we are working on the api/ui to store this information on the information page of all known CVEs.
dylan-mulligan
commented
11 months ago
After discussing the state of the patchfinder with Mehdi, he feels that we should also look for information regarding "fixes" for known vulnerabilities from the security advisories and possibly other sources that post vulnerability information. I've done some poking around, and it looks like Google's security advisories post fix information. When I say "fix information", I mean whatever instructions on how the user can "fix" the security issue. For example, "Upgrade to version 2.3.51 to patch CVE-2023-1111" or "Close port 18002 to prevent known exploitation of CVE..." and so on. These fixes will often relate to closed-source projects, ones which we currently have no way of collecting patch/fix information on. Between the patch and fix finder, the goal is to collect any and all information regarding resolving known vulnerabilities and we are working on the api/ui to store this information on the information page of all known CVEs.