Re: CVE Information Sources & Scope
> Government Information Sources
> US-CERT Advisories (aka CERT-CC Advisories)
Must have. Although largely republication at the moment, we expect this
to change, and volume is fairly low.
> US-CERT Vulnerability Notes (CERT-CC)
> US-CERT Bulletins (aka Cyber-Notes)
These are collections of already public reports, possibly generated from
> DoD IAVAs
Doubt usefulness. Republication well after CVE has been assigned?
Good to watch, new vul reports rarely come out.
Almost exclusively republication. AusCERT even provides a list of what
products/vendors they monitor (or did).
Name changed, believe this is entirely republication.
> CNA Published Information
Must have, but included in US-CERT vul notes and Alerts above.
> Apple OSX
> Non-CNA Vendor Advisories
> Cisco IOS
> Free BSD
> Open BSD
> Net BSD
> Gentoo (Linux)
> Ubuntu (Linux)
Must have, although as usual lots of duplication across linux/UNIX distros.
> Mailing Lists & VDBs
It's been a while since I watched any of these closely.
Not sure what these are like anymore. Seemed to be low signal.
> Full Disclosure
Lots of noise, but new reports come out. Must have.
> Security Focus
Bugtraq? Or other lists?
> Security Tracker
Not sure of current quality/signal.
Must have, because they're trying to be reference complete.
> ISS X-Force
Changed name again -- VUPEN? If they provide original reports, then
Good to have.
> Packet Storm
No longer familiar, seems dated.
No longer familiar.
> SANS Mailing List (Qualys)
Don't know about new vul reports here.
> Neohapsis (Security Threat Watch)
Only know about their archive service.
IMO, any and every source of "OC" (original content, original vul
reports) should be monitored, starting with major vendors, CNAs, and
sources with high quality signal (even if they are also noisy).