search

security-alliance / seal-911

SEAL 911 is a project designed to give users, developers, and security researchers an accessible way to connect with a small group of highly trusted security professionals in case of emergency.
https://t.me/seal_911_bot
111 stars 5 forks source link

Web3 vulnerabilities classification #14

Open kajaaz opened 2 months ago

kajaaz commented 2 months ago

Hey,

I just wondered if you already have think about a model for web3 vulnerabilities classification to collect them in a database like the MITRE's one ?

Thanks

kajaaz commented 2 months ago

Currently, I am only aware of the EEA EthTrust : https://entethalliance.github.io/eta-registry/security-levels-spec.html

pcaversaccio commented 2 months ago

I think they did a decent job: https://dl.acm.org/doi/fullHtml/10.1145/3391195#sec-9

image

kajaaz commented 2 months ago

@pcaversaccio Yes I was aware of that work but it is from 2020, so the vulnerabilities types are a bit old. I was more looking for a vulnerabilities classification scheme like the CVE (e.g. https://nvd.nist.gov/vuln/detail/CVE-2023-40014). Would it be relevant to create a scheme specific to web3 vulnerabilities or should we follow the NIST one ?

pcaversaccio commented 2 months ago

@pcaversaccio Yes I was aware of that work but it is from 2020, so the vulnerabilities types are a bit old. I was more looking for a vulnerabilities classification scheme like the CVE (e.g. https://nvd.nist.gov/vuln/detail/CVE-2023-40014). Would it be relevant to create a scheme specific to web3 vulnerabilities or should we follow the NIST one ?

I don't have the perfect answer here yet tbh. Will think about it and ask other SEAL members.