RE: Sources: Full and Partial Coverage
From: security curmudgeon [mailto:email@example.com]
Sent: Thursday, May 17, 2012 3:57 PM
To: Booth, Harold
Subject: RE: Sources: Full and Partial Coverage
On Thu, 17 May 2012, Booth, Harold wrote:
: > What you propose should be looked at for a weighting system on how CVE prioritizes data
: > obtained from the sources they are looking at. If we establish they should look for
: > vulnerabilities in 50 sources, then the daily grind should also have them create an entry for a
: > Microsoft product before PHPBlogWeNeverHeardof.
: While understand what you trying to say here, I still hold to my
: previous comments that sources are secondary to products covered.
: Especially since some products may require looking at multiple sources.
: I am not all that interested in sources, I am keenly interested in
: products though.
> Right, I understand that desire.
> However, if you say "CVE, monitor ProductX", and due to an incomplete list of sources
> being monitored, they end up issuing an ID for only 70% of the vulnerabilities disclosed
> in ProductX, has that met your need?
No, it has not. But then CVE and everyone else will know that, since the goal has been defined in terms of "monitor ProductX". Changes to process and tools will be made to get the number closer to 100%. If the goal is defined as "monitor sources X, Y and Z" which result in an ID for 70% of the vulnerabilities disclosed for ProductX there is likely no explicit step in the process to improve coverage of ProductX. "What gets measured, gets done," and I believe measuring in terms of products instead of sources will lead to more desirable results.