Re: Update Disclosure Sources List - Please Vote!
On 2011-10-11 15:58 , Mann, Dave wrote:
>> From: Kent_Landfield@McAfee.com [mailto:Kent_Landfield@McAfee.com]
>> Non-OS venders should be included
>> Specifically Desktop products that are commonly seen in both corporate and
>> consumer systems
> Can you name names? That's a potentially very large list.
> Would it be worth combining this with a numeric qualifier? Say, desktop products that produce more than 10 disclosures a year? (pulling that number out of the air)
Not speaking for Kent: Adobe, popular browser vendors, things that
parse video/images/audio, Microsoft (already covered), office suites,
maybe popular chat software... I'm probably missing something.
>> 2. Nice to have
>> * ZDI
>> * Exploit-DB
>> * MSVR - Microsoft Vulnerability Research Advisories
>> * iDefense
>> * cisco-sa-xxxxxxxx-xxx (Cisco Security Advisories)
>> * Htxxxx (Apple)
>> * VMSA (Vmware Security Advisories)
>> * CNVD (China National Vulnerability Database)
>> * Metasploit Module Ids
> Some of these are behind pay-walls, no?
> CVE charter is to provide ids for "publicly available" vulnerabilities.
> I don't consider things behind pay-walls as publicly available. My mind could be changed on that but it would need to be a good argument.
I think it's reasonable to stick with publicly available. The stuff
behind the pay walls usually/eventually comes out, then it can get a CVE
ID. The discloser might even be a CNA, or at least request CVE IDs as
the vuls come out publicly. I wouldn't suggest trying to track hints
about upcoming releases or non-public vuls -- costly and inaccurate.