[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Sources: Full and Partial Coverage (CNA increase)
On 6/25/12 11:38 AM, Mann, Dave wrote: > We haven't talked about increasing the number of CNAs yet, but that is definitely coming. > > Increasing CNAs is a part of the "how" we cover what we cover discussion, as is quality of descriptions and minimum requirements. > > First we need to get through the "what" we're going to cover part. OK, I'm trying to reconcile the products and sources approaches, and I don't think it matters much, unless we're already at the point of trying to distribute CNA coverage. What should CVE cover? CVE should cover vulnerabilities. I'd like CVE to cover, if not all, then the most important vulnerabilities. "Most important" gets a bit tricky, but one aspect should be the scope of the vulnerability -- the number of people affected, possibly within a constituency. A vulnerability affects one or more products, and we care about products because they are used by or affect (service) many (or few) people. phpGolf? Affects few, don't include. (*) Microsoft XML Core Services? Affects many, include. Other "importance" factors are the usual things like impact, ease of exploitation, related incident activity, ease of access, etc. CVSS-like stuff. I don't necessarily recommend this, but CVE should include all vulnerabilities with a CVSS environmental score of X or higher (with environment == the internet). *) I'd still like to be able to talk about this vulnerability, so give it an ID and a URL to the report. If it turns out to be false or a duplicate, mark it accordingly. Let me decide if I care about phpGolf or not. We're assuming (and are probably correct) that most people don't care (or maybe that only few people use phpGolf), so it isn't worth the effort to create a CVE entry. But... CVE includes vulnerabilities. Products are a vulnerability criteria. I think the task to define what to include in CVE should be developing language that defines an "important vulnerability." So: 1. What? CVE should include "important" vulnerabilities. Vulnerabilities that allow remote root, that affect > 10 people, that are being exploited, that have UI's in Spanish, etc. 2. How? CVE can draft a list of sources it monitors, and/or a list of products covered (by criteria defined in #1), and/or a list of CNAs responsible for public vul disclosure market segments (ICS-CERT, CN-CERT, etc), and definitions of those segments. There's discussion about products or sources-based criteria, I don't think it matters, we can have lists of both, as long as they are in service to #1. Perhaps we jumped straight to #2, since we all know CVE is about vulnerabilities, and Dave is after the list of sources? - Art PS, can/should we convene the board (or enough of it) in person? Via WebEx or equivalent?