Re: Update Disclosure Sources List - Please Vote!

To: "Mann, Dave" <damann@mitre.org>
Subject: Re: Update Disclosure Sources List - Please Vote!
From: Art Manion <amanion@cert.org>
Date: Wed, 12 Oct 2011 00:06:48 -0400
CC: "Kent_Landfield@McAfee.com" <Kent_Landfield@McAfee.com>, cve-editorial-board-list <cve-editorial-board-list@LISTS.MITRE.ORG>
Delivery-Date: Wed Oct 12 00:07:25 2011
In-Reply-To: <3FF9F74E63A7484EB3B88F04329CBEDC04448C4269@IMCMBX1.MITRE.ORG>
List-Help: <mailto:LISTSERV@LISTS.MITRE.ORG?body=INFO%20CVE-EDITORIAL-BOARD-LIST>
List-Owner: <mailto:CVE-EDITORIAL-BOARD-LIST-request@LISTS.MITRE.ORG>
List-Subscribe: <mailto:CVE-EDITORIAL-BOARD-LIST-subscribe-request@LISTS.MITRE.ORG>
List-Unsubscribe: <mailto:CVE-EDITORIAL-BOARD-LIST-unsubscribe-request@LISTS.MITRE.ORG>
OpenPGP: id=36C268A3
References: <3FF9F74E63A7484EB3B88F04329CBEDC0444812B45@IMCMBX1.MITRE.ORG> <CAB32B6B.218F9%kent_landfield@mcafee.com> <3FF9F74E63A7484EB3B88F04329CBEDC04448C4269@IMCMBX1.MITRE.ORG>
Sender: <owner-cve-editorial-board-list@LISTS.MITRE.ORG>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:7.0.1) Gecko/20110929 Thunderbird/7.0.1

On 2011-10-11 15:58 , Mann, Dave wrote:
>> From: Kent_Landfield@McAfee.com [mailto:Kent_Landfield@McAfee.com]
>> Non-OS venders should be included
>> Specifically Desktop products that are commonly seen in both corporate and
>> consumer systems
> 
> Can you name names?  That's a potentially very large list.
> 
> Would it be worth combining this with a numeric qualifier?  Say, desktop products that produce more than 10 disclosures a year? (pulling that number out of the air)

Not speaking for Kent:  Adobe, popular browser vendors, things that
parse video/images/audio, Microsoft (already covered), office suites,
maybe popular chat software...  I'm probably missing something.

>> 2.  Nice to have
>>    *   ZDI
>>    *   Exploit-DB
>>    *   MSVR - Microsoft Vulnerability Research Advisories
>>    *   iDefense
>>    *   cisco-sa-xxxxxxxx-xxx (Cisco Security Advisories)
>>    *   Htxxxx (Apple)
>>    *   VMSA (Vmware Security Advisories)
>>    *   CNVD (China National Vulnerability Database)
>>    *   Metasploit Module Ids
> 
> Some of these are behind pay-walls, no?
> 
> CVE charter is to provide ids for "publicly available" vulnerabilities.  
> 
> I don't consider things behind pay-walls as publicly available.  My mind could be changed on that but it would need to be a good argument.

I think it's reasonable to stick with publicly available.  The stuff
behind the pay walls usually/eventually comes out, then it can get a CVE
ID.  The discloser might even be a CNA, or at least request CVE IDs as
the vuls come out publicly.  I wouldn't suggest trying to track hints
about upcoming releases or non-public vuls -- costly and inaccurate.

 - Art

References:
- Update Disclosure Sources List - Please Vote!
  - From: "Mann, Dave" <damann@mitre.org>
- Re: Update Disclosure Sources List - Please Vote!
  - From: <Kent_Landfield@McAfee.com>
- RE: Update Disclosure Sources List - Please Vote!
  - From: "Mann, Dave" <damann@mitre.org>

Prev by Date: RE: CVE Must-Have Coverage
Next by Date: Re: CVE Response Time
Prev by thread: RE: Update Disclosure Sources List - Please Vote!
Next by thread: RE: Update Disclosure Sources List - Please Vote!
Index(es):
- Date
- Thread

Page Last Updated: November 06, 2012

Common Vulnerabilities and Exposures

Re: Update Disclosure Sources List - Please Vote!