RE: Sources: Full and Partial Coverage

To: "Booth, Harold" <harold.booth@nist.gov>
Subject: RE: Sources: Full and Partial Coverage
From: security curmudgeon <jericho@attrition.org>
Date: Thu, 17 May 2012 15:57:20 -0500
CC: cve-editorial-board-list <cve-editorial-board-list@LISTS.MITRE.ORG>
Delivery-Date: Thu May 17 16:59:41 2012
In-Reply-To: <D7A0423E5E193F40BE6E94126930C4930B994ABC23@MBCLUSTER.xchange.nist.gov>
List-Help: <mailto:LISTSERV@LISTS.MITRE.ORG?body=INFO%20CVE-EDITORIAL-BOARD-LIST>
List-Owner: <mailto:CVE-EDITORIAL-BOARD-LIST-request@LISTS.MITRE.ORG>
List-Subscribe: <mailto:CVE-EDITORIAL-BOARD-LIST-subscribe-request@LISTS.MITRE.ORG>
List-Unsubscribe: <mailto:CVE-EDITORIAL-BOARD-LIST-unsubscribe-request@LISTS.MITRE.ORG>
References: <2F43C4D2BE8AD24C8AC17D8C64B379B316E94C@IMCMBX01.MITRE.ORG> <CBD696D8.32CFA%kent_landfield@mcafee.com> <2F43C4D2BE8AD24C8AC17D8C64B379B3172CB9@IMCMBX01.MITRE.ORG> <D7A0423E5E193F40BE6E94126930C4930B994ABB80@MBCLUSTER.xchange.nist.gov> <alpine.LNX.2.00.1205171424131.11561@forced.attrition.org> <D7A0423E5E193F40BE6E94126930C4930B994ABBE7@MBCLUSTER.xchange.nist.gov> <alpine.LNX.2.00.1205171456030.11561@forced.attrition.org> <D7A0423E5E193F40BE6E94126930C4930B994ABC23@MBCLUSTER.xchange.nist.gov>
Sender: <owner-cve-editorial-board-list@LISTS.MITRE.ORG>
User-Agent: Alpine 2.00 (LNX 1167 2008-08-23)

On Thu, 17 May 2012, Booth, Harold wrote:

: > However, if you say "CVE, monitor ProductX", and due to an incomplete list of sources
: > being monitored, they end up issuing an ID for only 70% of the vulnerabilities disclosed
: > in ProductX, has that met your need?
: 
: No, it has not. But then CVE and everyone else will know that, since the 
: goal has been defined in terms of "monitor ProductX". Changes to process 
: and tools will be made to get the number closer to 100%. If the goal is 
: defined as "monitor sources X, Y and Z" which result in an ID for 70% of 
: the vulnerabilities disclosed for ProductX there is likely no explicit 
: step in the process to improve coverage of ProductX. "What gets 
: measured, gets done," and I believe measuring in terms of products 
: instead of sources will lead to more desirable results.

That is a good point, but not sure if either of us can justify our 
positions short of "CVE would have to try it" =)

In my mind, if you monitor the right sources, you approach 100% for more 
products in a repeatable fashion, than if you try to go off a list of 
products first.

Follow-Ups:
- RE: Sources: Full and Partial Coverage
  - From: Tim Keanini <tkeanini@ncircle.com>
- Re: Sources: Full and Partial Coverage
  - From: Art Manion <amanion@cert.org>

References:
- RE: Sources: Full and Partial Coverage
  - From: "Mann, Dave" <damann@mitre.org>
- Re: Sources: Full and Partial Coverage
  - From: <Kent_Landfield@McAfee.com>
- RE: Sources: Full and Partial Coverage
  - From: "Mann, Dave" <damann@mitre.org>
- RE: Sources: Full and Partial Coverage
  - From: "Booth, Harold" <harold.booth@nist.gov>
- RE: Sources: Full and Partial Coverage
  - From: security curmudgeon <jericho@attrition.org>
- RE: Sources: Full and Partial Coverage
  - From: "Booth, Harold" <harold.booth@nist.gov>
- RE: Sources: Full and Partial Coverage
  - From: security curmudgeon <jericho@attrition.org>
- RE: Sources: Full and Partial Coverage
  - From: "Booth, Harold" <harold.booth@nist.gov>

Prev by Date: RE: Sources: Full and Partial Coverage
Next by Date: RE: Sources: Full and Partial Coverage
Prev by thread: RE: Sources: Full and Partial Coverage
Next by thread: RE: Sources: Full and Partial Coverage
Index(es):
- Date
- Thread

Page Last Updated: November 06, 2012

Common Vulnerabilities and Exposures

RE: Sources: Full and Partial Coverage