[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Sources: Full and Partial Coverage

To: "Mann, Dave" <damann@mitre.org>
Subject: Re: Sources: Full and Partial Coverage
From: Adam Shostack <adam@homeport.org>
Date: Mon, 7 May 2012 13:36:11 -0400
CC: cve-editorial-board-list <cve-editorial-board-list@LISTS.MITRE.ORG>
Delivery-Date: Mon May 7 13:37:46 2012
In-Reply-To: <2F43C4D2BE8AD24C8AC17D8C64B379B316BE3E@IMCMBX01.MITRE.ORG>
List-Help: <mailto:LISTSERV@LISTS.MITRE.ORG?body=INFO%20CVE-EDITORIAL-BOARD-LIST>
List-Owner: <mailto:CVE-EDITORIAL-BOARD-LIST-request@LISTS.MITRE.ORG>
List-Subscribe: <mailto:CVE-EDITORIAL-BOARD-LIST-subscribe-request@LISTS.MITRE.ORG>
List-Unsubscribe: <mailto:CVE-EDITORIAL-BOARD-LIST-unsubscribe-request@LISTS.MITRE.ORG>
References: <2F43C4D2BE8AD24C8AC17D8C64B379B316BE3E@IMCMBX01.MITRE.ORG>
Sender: <owner-cve-editorial-board-list@LISTS.MITRE.ORG>
User-Agent: Mutt/1.5.13 (2006-08-11)

Hi Dave,

I'm trying to consider this list, and I don't quite understand how
Mandrivia can be consdered when RedHat cannot be.  I'm having trouble
thinking of knot of issues that impact RH, but not Mandrivia.

The desire to make progress is great, but I find myself hung up as I
try to think about these.

Also, is Mozilla all mozilla projects or just Firefox?

Thinking about internet exposed software, (inspired by the inclusion
of ISC), should we have openssl and openssh as full-coverage?

And then going more broadly, aren't some of these (US-CERT) really
jurisdictions which will be their own "CNA v2"?

Adam

On Fri, May 04, 2012 at 09:59:06PM +0000, Mann, Dave wrote:
| All,
| 
| We seek your input on the following sets of sources of vulnerability information.  All of the sources in the following list have been identified in our prior discussions as "must-haves".
| 
| We are breaking this list into 3 groups:
| + Sources that should be fully covered
| + Sources that should be monitored but selectively covered
| + Sources that present big challenges meriting further discussion
| 
| For the purpose of our current discussions, we would like your feedback, reactions and input on these first 2 groups.  The primary question is, should any in the first group be demoted to the second and, conversely, should any from the second group be promoted to the first.
| 
| As you consider these groups, understand that we are discussing prioritization, not feasibility.  It may be the case that CVE's current practices will need to be changed to provide the stated coverage goals for some of these sources.  We'll address that issue in later email discussions.
| 
| We'll give some indications as to why we think the second group should be only partially covered below.
| 
| 
| SHOULD BE FULLY COVERED
| -----------------------
| US-CERT: Technical Cyber Security Alerts
| RealNetworks (real.com)
| Apple
| EMC, as published through Bugtraq
| VMware
| Google: Google Chrome (includes WebKit)
| IBM: issues in IBM ISS X-Force Database
| Internet Systems Consortium (ISC)
| MIT Kerberos
| Adobe
| Apache Software Foundation: Apache HTTP Server
| Cisco: Security Advisories/Responses
| HP: Security Bulletins                         
| Microsoft: Security Bulletins/Advisories
| Mozilla
| Oracle                                      
| 
| 
| SHOULD BE MONITORED BUT SELECTIVELY COVERED
| -------------------------------------------
| US-CERT: Vulnerability Notes [1]
| Symantec: SecurityFocus BugTraq (securityfocus.com/archive/1) [1]
| Symantec: SecurityFocus Bugtraq ID (securityfocus.com/bid) [1]   
| Full Disclosure [1]
| OSVDB [1]                                       
| SecurityTracker [1]                             
| FreeBSD [2]                                    
| NetBSD [2]                                  
| OpenBSD [2]                                    
| Mandriva [2]                                   
| oss-security [3]
| IBM: issues not in IBM ISS X-Force Database [4]
| 
| 
| PRESENT BIG CHALLENGES THAT MERIT DISCUSSION AT A LATER TIME
| ------------------------------------------------------------
| Debian
| Red Hat                                      
| Attachmate: SUSE                                        
| Ubuntu (Linux)                              
| 
| 
| [1] - These sources tend to contain a mixture a both high priority issues and lower priority issues.  It is reasonable to not assign CVE ids for vulnerabilities affecting software with limited distribution and impact. 
| 
| [2] - We believe that these systems are low enough in terms of their market share and distribution that it is reasonable to only assign CVE ids for more critical vulnerabilities from these sources.
| 
| [3] - For the most part, we believe that issues disclosed on this are already disclosed in other sources that we actively monitor.
| 
| [4] - At present, IBM has no centralized distribution source for vulnerability information related to many of its products.  Some IBM products use the ISS X-Force database as their disclosure mechanism, which is listed as fully covered source (for IBM issues only).  
| 
| -Dave
| ==================================================================
| David Mann | Principal Infosec Scientist | The MITRE Corporation
| ------------------------------------------------------------------
| e-mail:damann@mitre.org | cell:781.424.6003
| ==================================================================

References:
- Sources: Full and Partial Coverage
  - From: "Mann, Dave" <damann@mitre.org>

Prev by Date: Sources: Full and Partial Coverage
Next by Date: Re: Sources: Full and Partial Coverage
Prev by thread: Sources: Full and Partial Coverage
Next by thread: Re: Sources: Full and Partial Coverage
Index(es):
- Date
- Thread