Re: Sources: Full and Partial Coverage
- To: "Steven M. Christey" <firstname.lastname@example.org>
- Subject: Re: Sources: Full and Partial Coverage
- From: S Lawler <email@example.com>
- Date: Fri, 22 Jun 2012 15:03:40 -0400
- Cc: Tim Keanini <firstname.lastname@example.org>, security curmudgeon <email@example.com>, cve-editorial-board-list <cve-editorial-board-list@LISTS.MITRE.ORG>
- Delivery-Date: Fri Jun 22 15:04:11 2012
- DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mx.aol.com;s=20110426; t=1340391826;bh=6nWfkm+ux1NtCoH65wX/n4ScIXQX8FQNfMkCEnf80pY=;h=From:To:Subject:Message-Id:Date:Mime-Version:Content-Type;b=UbnB9gO7SQJ0GS+MHHedtKA/5HaAXA6Sii9nlYQsMTJ+NtksCw70y5G89SVOYC/RK KVkggbRCuZ1X+DkDDBlDbRTVQxyNqFHVqWIgGFiSqSvNEVk+HV+j8Vg+PeDsyaYFR5 +MOgaol09ZvZJZ8RMpf4vlBvjJ1WF23hXNul1AUY=
- In-Reply-To: <Pine.GSO.firstname.lastname@example.org>
- References: <2F43C4D2BE8AD24C8AC17D8C64B379B316BE3E@IMCMBX01.MITRE.ORG> <1A54A32F70AFF245911642771CB08DC504CB9E@exch-sf-01.ad.ncircle.com> <alpine.LNX.email@example.com> <1A54A32F70AFF245911642771CB08DC504D51F@exch-sf-01.ad.ncircle.com> <Pine.GSO.firstname.lastname@example.org>
In a perfect world, we'd cover all products from all sources. The reality is with limited resources we need to prioritize.
As this discussion continues, how would we determine which sources have the most value? I think intrinsically, we know those already.
Which products do we attempt to be thorough with? And conversely, which products do we cover only if a new serious exploit pops up?
We need to help the CVE Team figure out what is most important both from a product and source perspective. Prioritization guidance and executable procedures are critical here.
As usual, I don't have any brilliant ideas. This is a tough problem that is going to take some thought.
Scott A. Lawler, CISSP-ISSAP, ISSMP
Lightspeed Technologies, Inc.
On May 8, 2012, at 1:58 PM, Steven M. Christey wrote:
> Tim and Brian,
> EDB at least has a field that states whether they've independently verified each issue or not, and it is very commonly referenced, so that's one reason it has more focus than the others. We do pick up Packet Storm on a fairly regular basis. We have not examined whether inj3ct0r provides any additional or significant value, or any of the dozens of similar vulnerability databases across the Internet. The commonality between all these sources increases the workload significantly, so it had evolved (at least to the point of this Board discussion) to more closely watch Exploit-DB than the others.
> - Steve
> On Tue, 8 May 2012, Tim Keanini wrote:
>> They did discuss the others but just listed EDB as a class of sites that should be represented. The point was that if there is exploit code being published, it should always have a CVE.
>> Thanks for the explanation on RealPlayer.
>> Given that our VERT team has to prioritize what customers want regardless of CVE or not, they go through the same type of prioritization process but more driven by application classes. There is a product management function that surveys our customer base once per quarter to make sure we have their relevancy in mind when we develop content.
>> Tim "TK" Keanini, CTO ... nCircle Inc. ... mbl (415) 328-2722 ...
>> -----Original Message-----
>> From: owner-cve-editorial-board-list@LISTS.MITRE.ORG [mailto:owner-cve-editorial-board-list@LISTS.MITRE.ORG] On Behalf Of security curmudgeon
>> Sent: Tuesday, May 08, 2012 1:53 AM
>> To: cve-editorial-board-list
>> Subject: RE: Sources: Full and Partial Coverage
>> On Tue, 8 May 2012, Tim Keanini wrote:
>> : My head researcher felt that these were absent and should be considered given the infrastructure roles they play and I agree.
>> : Partially Cover
>> : 1) http://www.exploit-db.com/ <-- if they hit this repository exploit code
>> : is available to the public, and it warrants a CVE.
>> I am curious why you chose EDB, and do not mention or suggest PacketStorm or inj3ct0r (1337day.com), as they both do the same thing, at least one in more volume than EDB. In fact, there is a big cross-over between all three that make daily scouring quite annoying for some VDBs.
>> I only ask out of curiosity, because I could argue EDB over those, or PS over those, for different reasons.
>> : They also scratched their heads with RealPlayer being on the list but that might be something Federal market specific.
>> There is likely other media-based software with a larger user installation base than Real, that is not currently on the list.