Per Vulnerability Attributes

Description

While hundreds of security metrics have been proposed, tracking a relatively small set of attributes for each vulnerability detected in the software is sufficient to replicate many of them.

Definition

Data Collection

In addition to data kept for defects (e.g. those attributes listed by Lamkanfi [32]), we collect:

• Source – The name of the bug tracker or bug-tracking database where the vulnerability is recorded.
• Identifier – The unique identifier of the vulnerability in its source database.
• Description – Text description of the vulnerability.
• Discovery Date – Date the vulnerability was discovered.
• Creation Date – Date the tracking record was created.
• Patch Date – The date the change resolving the vulnerability was made.
• Release Date – The date the software containing the vulnerability was released.
• Severity – The criticality of the vulnerability. Scale: Low, Medium, High.
• Phase – Indication of when during the development lifecycle the vulnerability was discovered
• Reporter – Indication of who found the vulnerability
• Role
• (Optional) Identifier (name, email)