[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Sources: Full and Partial Coverage



On Thu, 17 May 2012, Booth, Harold wrote:

: Dave has stated that this discussion is about what the scope for CVE 
: should be. As I review the discussion it seems the focus has been 
: predominately on what sources should be covered. I think the focus of 
: the discussion should be on what products should be covered. While in 
: some cases the terms 'sources' and 'products' have been used 
: interchangeably I am not sure that they necessarily mean the same thing. 
: A 'source' may change what products it covers over time, where the 
: product that was desirable to be covered in that source may eventually 

: To summarize, I think the scope of CVE should be defined, almost 
: exclusively, in terms of products covered, and not in terms of sources 
: covered.

This simply doesn't translate to the daily operation of CVE. If we tell 
them "monitor ProductX", where do they look for that information? *That* 
is the point of this discussion. You cannot simply say "check the vendor 
page" as they do not issue advisories for every vulnerability. You cannot 
say "check Bugtraq or Full-Disclosure", because those too are no longer 
the exclusive sources of vulnerability information.

What you propose should be looked at for a weighting system on how CVE 
prioritizes data obtained from the sources they are looking at. If we 
establish they should look for vulnerabilities in 50 sources, then the 
daily grind should also have them create an entry for a Microsoft product 
before PHPBlogWeNeverHeardof.

There are two pretty distinct issues here, and I don't think one can be 
done without better defining the first. (Yes, I realize it can, but not in 
a 'complete coverage' manner, which is also the goal.)


Page Last Updated or Reviewed: November 06, 2012