The (un)reliability of NVD vulnerable versions data: an empirical experiment on Google Chrome vulnerabilities

Authors:
Viet Hung Nguyen;Fabio Massacci
Affiliations:
University of Trento, Trento, Italy;University of Trento, Trento, Italy
Venue:
Proceedings of the 8th ACM SIGSAC symposium on Information, computer and communications security
Year:
2013

Citing 9
Cited 0

Is Finding Security Holes a Good Idea?

IEEE Security and Privacy
When do changes induce fixes?

MSR '05 Proceedings of the 2005 international workshop on Mining software repositories
Milk or wine: does software security improve with age?

USENIX-SS'06 Proceedings of the 15th conference on USENIX Security Symposium - Volume 15
Predicting Defects for Eclipse

PROMISE '07 Proceedings of the Third International Workshop on Predictor Models in Software Engineering
Is it a bug or an enhancement?: a text-based approach to classify change requests

CASCON '08 Proceedings of the 2008 conference of the center for advanced studies on collaborative research: meeting of minds
Fair and balanced?: bias in bug-fix datasets

Proceedings of the the 7th joint meeting of the European software engineering conference and the ACM SIGSOFT symposium on The foundations of software engineering
A Case Study of Bias in Bug-Fix Datasets

WCRE '10 Proceedings of the 2010 17th Working Conference on Reverse Engineering
After-life vulnerabilities: a study on firefox evolution, its vulnerabilities, and fixes

ESSoS'11 Proceedings of the Third international conference on Engineering secure software and systems
An independent validation of vulnerability discovery models

Proceedings of the 7th ACM Symposium on Information, Computer and Communications Security

Quantified Score

Hi-index	0.00

Visualization

Abstract

NVD is one of the most popular databases used by researchers to conduct empirical research on data sets of vulnerabilities. Our recent analysis on Chrome vulnerability data reported by NVD has revealed an abnormally phenomenon in the data where almost vulnerabilities were originated from the first versions. This inspires our experiment to validate the reliability of the NVD vulnerable version data. In this experiment, we verify for each version of Chrome that NVD claims vulnerable is actually vulnerable. The experiment revealed several errors in the vulnerability data of Chrome. Furthermore, we have also analyzed how these errors might impact the conclusions of an empirical study on foundational vulnerability. Our results show that different conclusions could be obtained due to the data errors.