RE: Sources: Full and Partial Coverage (CNA increase)
We haven't talked about increasing the number of CNAs yet, but that is definitely coming.
Increasing CNAs is a part of the "how" we cover what we cover discussion, as is quality of descriptions and minimum requirements.
First we need to get through the "what" we're going to cover part.
David Mann | Principal Infosec Scientist | The MITRE Corporation
e-mail:firstname.lastname@example.org | cell:781.424.6003
>From: email@example.com [mailto:owner-cve-
>firstname.lastname@example.org] On Behalf Of Carsten Eiram
>Sent: Monday, June 25, 2012 4:19 AM
>Subject: RE: Sources: Full and Partial Coverage (CNA increase)
>> -----Original Message-----
>> From: email@example.com [mailto:owner-cve-
>> firstname.lastname@example.org] On Behalf Of security curmudgeon
>> Sent: 22. juni 2012 23:37
>> To: Mann, Dave
>> Cc: cve-editorial-board-list
>> Subject: RE: Sources: Full and Partial Coverage (CNA increase)
>> As one example, ZDI releases a sizable number of advisories, yet they are
>> a CNA. Since they typically release in products that will make the list
>> you want, and they currently run into communication problems with
>> vendors, they should be a CNA in my eyes. Even if they get a pool of
>> 100 IDs a year, that is all they need.
>> Now, think about a few dozen like that. Not only are they helping CVE,
>> potentially expanding coverage. Looking to JP-CERT or more non-US bodies
>> that handle vulnerabilities could turn into a great asset to CVE.
>> I know I am an idealist in the land of VDBs often times, but if this
>> explored, I think it is worth discussing.
>I fully agree that getting more properly educated CNAs is the way to go -
>especially focusing on those primary sources that provide a large number of
>advisories like major software vendors (already seem pretty well covered)
>and vulnerability coordination houses like the mentioned ZDI, iDefense VCP
>(though I'm not sure how "alive" it is anymore), and Exodus Intelligence
>EIP, which was just started by a number of "ZDI defectors" as they're being
>Secunia is already a CNA to specifically assign CVE identifiers to
>internally discovered vulnerabilities as well as the ones coordinated via
>our SVCRP program.
>If major vendors as well as the Top3/Top5 vulnerability coordination houses
>are CNAs then we would "automatically" get a solid coverage for at lot of
>the most interesting sources/products.
>Med venlig hilsen / Kind regards
>Carsten H. Eiram
>Chief Security Specialist
>Follow us on twitter
>Rued Langgaards Vej 8
>2300 Copenhagen S
>Phone +45 7020 5144
>Fax +45 7020 5145