[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Update Disclosure Sources List - Please Vote!
On 2011-10-11 15:58 , Mann, Dave wrote: >> From: Kent_Landfield@McAfee.com [mailto:Kent_Landfield@McAfee.com] >> Non-OS venders should be included >> Specifically Desktop products that are commonly seen in both corporate and >> consumer systems > > Can you name names? That's a potentially very large list. > > Would it be worth combining this with a numeric qualifier? Say, desktop products that produce more than 10 disclosures a year? (pulling that number out of the air) Not speaking for Kent: Adobe, popular browser vendors, things that parse video/images/audio, Microsoft (already covered), office suites, maybe popular chat software... I'm probably missing something. >> 2. Nice to have >> * ZDI >> * Exploit-DB >> * MSVR - Microsoft Vulnerability Research Advisories >> * iDefense >> * cisco-sa-xxxxxxxx-xxx (Cisco Security Advisories) >> * Htxxxx (Apple) >> * VMSA (Vmware Security Advisories) >> * CNVD (China National Vulnerability Database) >> * Metasploit Module Ids > > Some of these are behind pay-walls, no? > > CVE charter is to provide ids for "publicly available" vulnerabilities. > > I don't consider things behind pay-walls as publicly available. My mind could be changed on that but it would need to be a good argument. I think it's reasonable to stick with publicly available. The stuff behind the pay walls usually/eventually comes out, then it can get a CVE ID. The discloser might even be a CNA, or at least request CVE IDs as the vuls come out publicly. I wouldn't suggest trying to track hints about upcoming releases or non-public vuls -- costly and inaccurate. - Art