[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Update: Vendor Mappings and NDA's




All:

I expect that the NDA's (non-disclosure agreements) for vendor tool
mappings will be ready in the next few business days.  I will email
them to each separate vendor once they are ready.  In short, the NDA's
prevent you from explicitly referring to or redistributing the
MITRE-created mappings (e.g. in marketing) while also allowing you to
use them to help generate your own mappings.

As I said before, it would be best for you to provide me with an
"annotated" vulnerability list for your tool.  This will allow you to
link back to your own internal databases more easily.  As a reminder:

>2) For the mappings to be most effective, I need to obtain an
>up-to-date vulnerability list from you for your tool(s), in the
>following format (or as close as possible):
>
>  - a single line per vulnerability (or, multiple line entries
>    separated by a carriage return)
>  - short text description for the vulnerability (single line "short
>    descriptions, or 3-5 lines; worst case, the full description)
>  - INCLUDE YOUR OWN ID FOR THE VULNERABILITY.   (Preferably the first
>    part of the vulnerability entry, but not required).  This
>    requirement is for your benefit - most vulnerability lists I
>    used don't have the vendor's vulnerability ID associated with it,
>    so you would have had to match up CVE numbers to your text
>    descriptions.  Whatever ID you use is fine, as long as it allows
>    you to get to the information you need.
>  - list references (preferred, not required; this helps narrow the
>    search and increases accuracy)
>
>Here are some example entries (a la X-force database, where the first
>word in the line is the X-Force vulnerability name):
>
>aix-infod AIX infod vulnerability allows local user to gain root
>access
>
>bnu-uucpd-bo BNU uucpd contains a buffer overflow which allows a local
>user to execute arbitrary commands as root.
>
>smtp-875bo Sendmail 8.7.5 stack BO


Feel free to email me this information once you have obtained it, and
I will create the appropriate mappings.  The mappings should be ready
soon after you have signed the NDA's on your end.

If you cannot provide such a list, then a simpler list (e.g. single
line descriptions that you might use in product literature) may be
fine - but it will be more inconvenient for you to link back to your
database.

In the interest of fairness, I am willing to offer this "service" to
anyone on the Editorial Board (not just vendors) provided you can give
me a vulnerability list.

- Steve

Page Last Updated or Reviewed: May 22, 2007