[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Update Disclosure Sources List - Please Vote!
[resending due to bounces, and re-edited slightly] On Thu, 6 Oct 2011, Kent_Landfield@McAfee.com wrote: > Government Information Sources > Ignore - US-CERT Bulletins (aka Cyber-Notes) These are directly populated from NVD, so assuming NVD continues to be populated by CVE, these by definition should be ignored unless we want to go into some infinitely-recursive loop ;-) > Ignore - DoD IAVAs These are not public, so even referencing them is probably an information leak of some kind that DoD probably doesn't want. Note, however, that MITRE's CVE team regularly receives requests for IAVA mappings (maybe the IAVA people could handle that?) > Mailing Lists & VDBs > Must Have - Bugtraq We currently monitor but don't guarantee coverage. > Nice to Have - Full Disclosure There's often too much noise with the flame wars and all, so we don't actively monitor (though there are some important disclosures there, but we pick them up from other VDBs.) > Ignore - Security Focus If you're talking about BID - note that this is one of the more common cross-references used in the industry. > Must Have - OSVDB Note that OSVDB tries to capture every vulnerability report, even if from a small changelog entry with 6 words in it, with very little analysis and often only a title and a couple references. They are still actively pursuing the "cover everything" dream. Brian Martin and I could talk for days on the evolving synergies between CVE and OSVDB. At this stage of the vuln information industry, OSVDB is on the extreme end of trying to cover everything, including vulns from the 1960's, voting systems, etc. > Must Have - FRSIRT (VUPEN) VUPEN stopped publishing their advisories to non-government people a few months ago. They are no longer covered because they aren't public. (We also have 20,000 (yes, thousand) broken links in CVE's current data now that their DB has disappeared, but that's a different story and a not-uncommon fate.) > Nice to Have - Oss-security FYI, these days, I would guess that about 85% of oss-security is related to CVE assignment requests, so it's "must have" due to other criteria of covering CNAs (thanks to Red Hat for handling oss-security requests.) - Steve