RE: Sources: Full and Partial Coverage
From: security curmudgeon [mailto:firstname.lastname@example.org]
Sent: Thursday, May 17, 2012 3:28 PM
To: Booth, Harold
Subject: RE: Sources: Full and Partial Coverage
On Thu, 17 May 2012, Booth, Harold wrote:
: Dave has stated that this discussion is about what the scope for CVE
: should be. As I review the discussion it seems the focus has been
: predominately on what sources should be covered. I think the focus of
: the discussion should be on what products should be covered. While in
: some cases the terms 'sources' and 'products' have been used
: interchangeably I am not sure that they necessarily mean the same thing.
: A 'source' may change what products it covers over time, where the
: product that was desirable to be covered in that source may eventually
: To summarize, I think the scope of CVE should be defined, almost
: exclusively, in terms of products covered, and not in terms of sources
> This simply doesn't translate to the daily operation of CVE. If we tell them "monitor ProductX",
> where do they look for that information? *That* is the point of this discussion. You cannot
> simply say "check the vendor page" as they do not issue advisories for every vulnerability. You
> cannot say "check Bugtraq or Full-Disclosure", because those too are no longer the exclusive
> sources of vulnerability information.
I disagree that the point of the discussion should be about what sources to monitor, that presupposes a solution. We are talking about what should the scope of CVE should be. How to define that scope is important. If we say cover product X then the processes and machinery which make up CVE will need to be constructed in a manner that will make it possible to accomplish that goal. If we say cover source X then the processes and machinery which make up CVE will be constructed in a manner to accomplish that goal. I am suggesting that the scope should be defined in terms of the desired goals, and further I am suggesting the goal should be product coverage and not source coverage. The fact that the current daily operations of CVE do not translate well to "monitor ProductX" may mean that the daily operations of CVE need to be modified.
> What you propose should be looked at for a weighting system on how CVE prioritizes data
> obtained from the sources they are looking at. If we establish they should look for
> vulnerabilities in 50 sources, then the daily grind should also have them create an entry for a
> Microsoft product before PHPBlogWeNeverHeardof.
While understand what you trying to say here, I still hold to my previous comments that sources are secondary to products covered. Especially since some products may require looking at multiple sources. I am not all that interested in sources, I am keenly interested in products though.