Re: Sources: Full and Partial Coverage (CNA increase)
On 2012-06-25 14:59 , security curmudgeon wrote:
> : What should CVE cover? CVE should cover vulnerabilities. I'd like CVE
> : to cover, if not all, then the most important vulnerabilities. "Most
> : important" gets a bit tricky, but one aspect should be the scope of the
> : vulnerability -- the number of people affected, possibly within a
> : constituency. A vulnerability affects one or more products, and we care
> : about products because they are used by or affect (service) many (or
> : few) people.
> You are entirely right. And, you are using sketchy wording =)
> : phpGolf? Affects few, don't include. (*)
> : Microsoft XML Core Services? Affects many, include.
> Siemens SIMATIC? Affects very few customers, don't include.
> Siemens SIMATIC? Affects hundreds of millions of THEIR customers, include.
> There are dozens of software packages that many haven't heard of, even in
> the VDB world. Yet, they are embedded in hundreds or thousands of other
> packages. Jetty, SPAW, and FckEditor just to name a few. There are more
> that I can't think of right off, but I routinely see in changelogs of
> bigger / more visible products.
It's not sketchy, it's precise :) "...used by or affect..." is meant to
include SIMATIC, and Facebok, and others. I mean that the product could
also affect many, not only that the many each have a copy of the product.
> : Other "importance" factors are the usual things like impact, ease of
> : exploitation, related incident activity, ease of access, etc.
> : CVSS-like stuff. I don't necessarily recommend this, but CVE should
> : include all vulnerabilities with a CVSS environmental score of X or
> : higher (with environment == the internet).
> I don't think that is a valid criteria really, as XSS / LFI / RFI / SQLi
> are all 5+. I use 5 as the example because of PCI; any of those will fail
> a PCI certification test. I'd love to see someone do some quick stats on
> the number of vulns broken out by CVSS score, but I'd wager 75%+ are CVSS
> 4+ (I think the actual PCI certification cutoff now?).
I said I didn't necessarily recommend it (CVSS), but assuming some
severity metric or definition, I'd like CVE to come up with a level of
importance/criteria that results in the vulnerability getting into CVE.
Also, and off-topic, sites with those web app vuls should probably fail PCI.