[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Sources: Full and Partial Coverage



On 2012-06-12 06:38 , Damir Rajnovic wrote:

> This is interesting situation you are describing. Here is how I see a potential
> scenario being played out. We select to cover products and SHINY is one of
> them. To get vulnerabilities in SHINY we select Contagio as the source.
> Things are working fine but Contagio is also providing information about
> other products that are not on our list. The question is what to do with
> this extra information? Is this what you are trying to illustrate?

My read of this is that vulnerabilities included in exploit kits warrant
CVE IDs.

Again, we're doing a bit of a jump from "criteria for vulnerabilities to
be included in CVE" to "sources that generally meet the criteria."  But
this one is pretty effective IMO.

criteria: product SHINY
source: vendor security page for SHINY

criteria: things that are getting exploited
source: Contagio, exploit db

criteria: things that affect lots of users
source: bugtraq? (which also contains things that don't meet this criteria)

There aren't always going to be sources that directly map to criteria.
So I think it's good for CVE to have criteria, and a list of sources.
CVE is going to have to do some of the drudge work filtering through
bugtraq/full-disclosure for things that meet the criteria (at least some
of this can be computer-assisted).


 - Art


 
Page Last Updated: November 06, 2012