Re: Sources: Full and Partial Coverage

To: Gaus <gaus@cisco.com>
Subject: Re: Sources: Full and Partial Coverage
From: Art Manion <amanion@cert.org>
Date: Tue, 12 Jun 2012 09:52:47 -0400
CC: Adam Shostack <adam@homeport.org>, security curmudgeon<jericho@attrition.org>, cve-editorial-board-list<cve-editorial-board-list@LISTS.MITRE.ORG>
Delivery-Date: Tue Jun 12 09:55:02 2012
In-Reply-To: <20120612103815.GK576@MacGaus.cisco.com>
List-Help: <mailto:LISTSERV@LISTS.MITRE.ORG?body=INFO%20CVE-EDITORIAL-BOARD-LIST>
List-Owner: <mailto:CVE-EDITORIAL-BOARD-LIST-request@LISTS.MITRE.ORG>
List-Subscribe: <mailto:CVE-EDITORIAL-BOARD-LIST-subscribe-request@LISTS.MITRE.ORG>
List-Unsubscribe: <mailto:CVE-EDITORIAL-BOARD-LIST-unsubscribe-request@LISTS.MITRE.ORG>
OpenPGP: id=36C268A3
References: <2F43C4D2BE8AD24C8AC17D8C64B379B316E94C@IMCMBX01.MITRE.ORG> <CBD696D8.32CFA%kent_landfield@mcafee.com> <2F43C4D2BE8AD24C8AC17D8C64B379B3172CB9@IMCMBX01.MITRE.ORG> <D7A0423E5E193F40BE6E94126930C4930B994ABB80@MBCLUSTER.xchange.nist.gov> <20120518104737.GT9865@MacGaus.cisco.com> <alpine.LNX.2.00.1205181251230.11561@forced.attrition.org> <20120521133539.GD9865@MacGaus.cisco.com> <20120611160702.GC29160@homeport.org> <20120612103815.GK576@MacGaus.cisco.com>
Sender: <owner-cve-editorial-board-list@LISTS.MITRE.ORG>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:12.0) Gecko/20120428 Thunderbird/12.0.1

On 2012-06-12 06:38 , Damir Rajnovic wrote:

> This is interesting situation you are describing. Here is how I see a potential
> scenario being played out. We select to cover products and SHINY is one of
> them. To get vulnerabilities in SHINY we select Contagio as the source.
> Things are working fine but Contagio is also providing information about
> other products that are not on our list. The question is what to do with
> this extra information? Is this what you are trying to illustrate?

My read of this is that vulnerabilities included in exploit kits warrant
CVE IDs.

Again, we're doing a bit of a jump from "criteria for vulnerabilities to
be included in CVE" to "sources that generally meet the criteria."  But
this one is pretty effective IMO.

criteria: product SHINY
source: vendor security page for SHINY

criteria: things that are getting exploited
source: Contagio, exploit db

criteria: things that affect lots of users
source: bugtraq? (which also contains things that don't meet this criteria)

There aren't always going to be sources that directly map to criteria.
So I think it's good for CVE to have criteria, and a list of sources.
CVE is going to have to do some of the drudge work filtering through
bugtraq/full-disclosure for things that meet the criteria (at least some
of this can be computer-assisted).

 - Art

Follow-Ups:
- Re: Sources: Full and Partial Coverage
  - From: Adam Shostack <adam@homeport.org>

References:
- Re: Sources: Full and Partial Coverage
  - From: Adam Shostack <adam@homeport.org>
- Re: Sources: Full and Partial Coverage
  - From: Damir Rajnovic <gaus@cisco.com>

Prev by Date: Re: Sources: Full and Partial Coverage
Next by Date: Re: Sources: Full and Partial Coverage
Prev by thread: Re: Sources: Full and Partial Coverage
Next by thread: Re: Sources: Full and Partial Coverage
Index(es):
- Date
- Thread

Page Last Updated: November 06, 2012

Common Vulnerabilities and Exposures

Re: Sources: Full and Partial Coverage