Re: Sources: Full and Partial Coverage
Sorry to come back into this discussion late. I'd like to share a
recent use case where coverage by product would have been
My goal was to study how computers become compromised. As a proxy for
one subset of that, I was using the Contagio "overview of exploit
packs" . Foreach element in that list, I was investigating when it
became publicly known, when it was patched, and several other
properties of the vuln and the update.
The searches for which I had CVEs took me 5-10 minutes per CVE.
Several of the ones for which I didn't have CVEs took between 2 hours
and failed to finish.
The vulns exploited by exploit packs are selected by the authors of
the packs, with a goal of compromising a large number of computers. I
don't believe any product-centered view of the world would be
We could, perhaps, define this work as outside the goal of CVE, but I
think that might be putting a patch management goal above a vuln
management goal. We should not do that accidentally, nor do I think
it's a good prioritization. We could work around it by adding things
like exploit kits as 'products', but I believe that stretches the
definition of products that most people here seem to have in mind.
On Mon, May 21, 2012 at 02:35:39PM +0100, Damir Rajnovic wrote:
| No, not really. By definition CVE is the best effort project. It is so
| because we rely on others (i.e., vendors, researches) to provide the information.
| Until we have vendors comitted assigning CVE themselves that will continue
| to be so.
| Estimating how many vulnerabilities are not covered can also be questioned.
| Some vendors may quietly fix things and never admitting that fact. Would
| you count that as lack of coverage? I would _if_ I manage to establish that
| this really happened. What are other ways that vulnerability may 'escape'?
| The bottom line is that I am a pragmatist and will take what there is available
| to get the job done. If we cannot reliably estimate coverage I would still
| use CVE.
| On Fri, May 18, 2012 at 12:51:56PM -0500, security curmudgeon wrote:
| > On Fri, 18 May 2012, Damir Rajnovic wrote:
| > : Hear, hear! Defining the goal in the scope of products is much better
| > : than sources and I am saying this as a consumer of CVEs. I have a piece
| > : of SW and I would like to know what is going with it. If the currently
| > : used sources do not cover the product 100% then the workaround can be to
| > : publicly say "we cover product X to an estimate 80% (or whatever)". That
| > : way CVE consumers are told of the situation.
| > Does your answer change if the percentage cannot be answered with any
| > certainty at all?
| Damir Rajnovic <firstname.lastname@example.org>, PSIRT Incident Manager, Cisco Systems
| <http://www.cisco.com/go/psirt> Telephone: +44 7715 546 033
| 200 Longwater Avenue, Green Park, Reading, Berkshire RG2 6GB, GB
| There are no insolvable problems.
| The question is can you accept the solution?
| Incident Response and Product Security
| - - - -
| Cisco.com - http://www.cisco.com/global/UK
| This e-mail may contain confidential and privileged material for the sole
| use of the intended recipient. Any review, use, distribution or disclosure by
| others is strictly prohibited. If you are not the intended recipient (or
| authorized to receive for the recipient), please contact the sender by reply
| e-mail and delete all copies of this message.
| Cisco Systems Limited (Company Number: 02558939), is registered in England
| and Wales with its registered office at 1 Callaghan Square, Cardiff,
| South Glamorgan CF10 5BT
| For corporate legal information go to: