Re: Sources: Full and Partial Coverage (CNA increase)

To: Carsten Eiram <che@secunia.com>
Subject: Re: Sources: Full and Partial Coverage (CNA increase)
From: Art Manion <amanion@cert.org>
Date: Mon, 25 Jun 2012 14:04:13 -0400
CC: "'Mann, Dave'" <damann@mitre.org>, "'cve-editorial-board-list'"<cve-editorial-board-list@LISTS.MITRE.ORG>
Delivery-Date: Mon Jun 25 14:05:12 2012
In-Reply-To: <F4A3A6029AA9A54E8FA9BF5FB9834C790D6B76DF@exch-hq-1.secunia.local>
List-Help: <mailto:LISTSERV@LISTS.MITRE.ORG?body=INFO%20CVE-EDITORIAL-BOARD-LIST>
List-Owner: <mailto:CVE-EDITORIAL-BOARD-LIST-request@LISTS.MITRE.ORG>
List-Subscribe: <mailto:CVE-EDITORIAL-BOARD-LIST-subscribe-request@LISTS.MITRE.ORG>
List-Unsubscribe: <mailto:CVE-EDITORIAL-BOARD-LIST-unsubscribe-request@LISTS.MITRE.ORG>
OpenPGP: id=36C268A3
References: <2F43C4D2BE8AD24C8AC17D8C64B379B316BE3E@IMCMBX01.MITRE.ORG> <ED311CBEE6993C428563DEDF6D083BC83E4ABFE7@usilms113b.ca.com> <alpine.LNX.2.00.1205091307280.10340@forced.attrition.org> <2F43C4D2BE8AD24C8AC17D8C64B379B316E94C@IMCMBX01.MITRE.ORG> <F4A3A6029AA9A54E8FA9BF5FB9834C790D6B76DF@exch-hq-1.secunia.local>
Sender: <owner-cve-editorial-board-list@LISTS.MITRE.ORG>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:13.0) Gecko/20120614 Thunderbird/13.0.1

On 6/25/12 7:06 AM, Carsten Eiram wrote:

> Finally, since CVE is not competing with any VDBs, they can as far as
> I'm concerned rely quite a bit on VDBs to pick up vulnerabilities
> from random sources instead of doing it themselves. Also, if no VDBs
> or major sources cover a specific vulnerability report, how important
> is it then for it to have a CVE identifier assigned? If a critical
> vulnerability in a popular product, then the VDBs have failed, but
> will likely pick it up eventually (and CVE can then catch it from
> there) - I don't consider it to be the responsibility of the CVE team
> to uncover it.

I have a vague future vision of more qualified and trained CNAs covering
segments of the public vulnerability disclosure market (JPCERT for
Japan, ICS-CERT for control systems, Red Hat for Red Hat, etc), with CVE
being the CNA of last resort, as well as the conflict resolver and CNA
grey-bearded guru.  In product terms, some CNAs could take
responsibility for certain products or classes of product.  In source
terms, CVE could monitor a set of current VDBs, and only put in further
effort if something gets missed or there's a conflict.

 - Art

Follow-Ups:
- Re: Sources: Full and Partial Coverage (CNA increase)
  - From: security curmudgeon <jericho@attrition.org>
- RE: Sources: Full and Partial Coverage (CNA increase)
  - From: Carsten Eiram <che@secunia.com>

References:
- RE: Sources: Full and Partial Coverage
  - From: Carsten Eiram <che@secunia.com>

Prev by Date: RE: Sources: Full and Partial Coverage (CNA increase)
Next by Date: Re: Sources: Full and Partial Coverage
Prev by thread: RE: Sources: Full and Partial Coverage
Next by thread: Re: Sources: Full and Partial Coverage (CNA increase)
Index(es):
- Date
- Thread

Page Last Updated: November 06, 2012

Common Vulnerabilities and Exposures

Re: Sources: Full and Partial Coverage (CNA increase)