VulnTotal like structure

[Hritik14]

Current scenario

We combine multiple vulnerability sources and try to reconcile them into one vulnerability. Even though, in reality, there's only one vulnerability but disagreement from different data sources result in conflicting details. For example, if NVD says CVE-1 affects version 1 through 5 but GitHub says the same CVE affects version 1 through 4 of a project, which one should we trust ?

Building Trust

There are multiple factors responsible for building trust on a single advisory. The simplest is to trust one advisory publisher over another on every instance. A more involved way would include more factors such as:

1. Advisory Publishing Platform: Eg, trust NVD advisories more than GitHub advisories
2. Advisory Publisher: Eg, trust advisories published by @pombredanne more than those published by @Hritik14
3. References: Eg, increase trust if the advisory uses archlinux.com as a reference
4. Assigning CNA
5. CVE Modification history and respective authors, eg https://nvd.nist.gov/vuln/detail/CVE-2023-33934#VulnChangeHistorySection
6. Vulnerability reporter/finder
7. Advisory having an Updated at value which is newer, eg https://www.cve.org/CVERecord?id=CVE-2023-33934
8. Exploit availability (this might be tough to get in an advisory)
9. Suspicion factor
   1. Mismatching CVE id and CVE publishing year: eg CVE-2020 was published in year 1998