DVE (Dong Vulnerability and Exposures)
The Dong Vulnerabilities and Exposures (DVE) list is how the IoD project is keeping track of vulnerabilities in IoD devices that we report. Modeled somewhat after the CVE (Common Vulnerabilities and Exposures) vulnerability reference methodology.
The format we are using (subject to changes) is as follows:
Candidate Vulnerabilities format:
Used for tracking vulnerabilities with vendors during communication and should not generally be public. This is to track the vulnerability before it's been verified by the vendor and to make clear which vulnerability is being discussed, particularly where there are several of the same type.
Final DVE record format:
Once a candidate vulnerability has been submitted to the vendor and has been confirmed by them, it is then upgraded to a DVE number for further tracking. Once it has been fixed or otherwise mitigated, the DVE record, which will have the company name, products affected, vulnerable versions (if any) and a description of the vulnerability will be posted for others to learn from.
Just because we found a vulnerability and are posting a DVE report does not make any companies products better or worse than another. Since this is a volunteer effort, it is not always possible to spend an equal amount of time on each vendors products. The fact that these vendors are working with us and participating in vulnerability disclosure is actually a good thing and shows that they are being responsible. If anything, their participation and willingness to quickly fix vulnerabilities should be taken as a sign of a privacy and security responsible company.