Re: Sources: Full and Partial Coverage
On 2012-06-12 06:38 , Damir Rajnovic wrote:
> This is interesting situation you are describing. Here is how I see a potential
> scenario being played out. We select to cover products and SHINY is one of
> them. To get vulnerabilities in SHINY we select Contagio as the source.
> Things are working fine but Contagio is also providing information about
> other products that are not on our list. The question is what to do with
> this extra information? Is this what you are trying to illustrate?
My read of this is that vulnerabilities included in exploit kits warrant
Again, we're doing a bit of a jump from "criteria for vulnerabilities to
be included in CVE" to "sources that generally meet the criteria." But
this one is pretty effective IMO.
criteria: product SHINY
source: vendor security page for SHINY
criteria: things that are getting exploited
source: Contagio, exploit db
criteria: things that affect lots of users
source: bugtraq? (which also contains things that don't meet this criteria)
There aren't always going to be sources that directly map to criteria.
So I think it's good for CVE to have criteria, and a list of sources.
CVE is going to have to do some of the drudge work filtering through
bugtraq/full-disclosure for things that meet the criteria (at least some
of this can be computer-assisted).