Sources List and Some Updates
A couple of updates and then the first comprehensive draft of our sources list for your review and comments.
We have been and are continuing to pursue the possibility of hosting a face-face meeting at Black Hat. Several moving pieces here and we'll let you all know as soon as we know. Either way, we'll definitely be hosting a teleconference to discuss things.
Regarding several of the ideas that have been suggested recently (i.e. focusing on products, metrics, increasing CNA involvement, how to cover things like Linux):
a) We are working on a list of "must have" products that we will be circulating soon.
b) We are discussing the other issues internally and will have some further thoughts out soon.
Thank you all for your input and engagement on this.
And now, for the list of sources.
We are grouping the sources into 2 major groups: those that should be "fully covered" and those that should be "partially covered".
"Full Coverage" means that for nearly all issues disclosed by the source that could be associated with a CVE entry, there will be an associated CVE entry, regardless of the criticality of the issue.
"Partial Coverage" means that the source will be actively monitored but issues will be processed and associated with CVE entries based on a variety of editorial judgments such as criticality.
As a bridge to the products discussion, we've further sub-divided each of these lists into 2 sub-lists: "Vendor" and "Other".
"Vendor" means the source can be associated with a vendor or primary maintainer of a product or set of products.
"Other" is a catch-all for things like vulnerability databases, mailing lists and advisories from coordination centers, which tend to disclose vulnerability information from many different vendors.
CAVEAT 1: We (MITRE) actively monitor many sources beyond this list. These sources include things like blogs from vulnerability researchers, conference proceedings and media outlets. The set of such sources that prove to be productive and useful to monitor changes on such a regular basis that we don't feel it would be useful to list them all out specifically.
CAVEAT 2: We have demoted and promoted several sources based on our experience with them. We are happy to discuss adding or removing sources and promoting or demoting sources but, like many of you, we think we're getting to the point of needing to discuss verbally. In particular, it bears mentioning that we are specifically not monitoring some sources that have been mentioned. Some have disappeared or have been rolled into other sources and some are behind "pay walls" and thus are not considered publicly disclosed. Examples include (but are not limited to) the old CERT-CC Advisories and VUPEN.
FULL COVERAGE SOURCES - VENDOR RELATED
Apache Software Foundation: Apache HTTP Server
Blue Coat - kb.bluecoat.com
CA - support.ca.com
Check Point: Security Gateways product line (supportcenter.checkpoint.com)
Cisco: Security Advisories/Responses
Citrix - support.citrix.com
Dell Desktop/Notebook product lines
Dell SonicWALL Network Security product line - Service Bulletins
EMC, as published through Bugtraq
F5 - support.f5.com
Fortinet FortiGate product line (kb.fortinet.com)
Fujitsu Desktop/Notebook product lines
Google: Google Chrome (includes WebKit)
HP: Security Bulletins
IBM: issues in IBM ISS X-Force Database
Internet Systems Consortium (ISC)
Juniper: juniper.net/customers/support (JunOS?)
Lenovo Desktop/Notebook product lines
McAfee - kc.mcafee.com
Microsoft: Security Bulletins/Advisories
Oracle: Critical Patch Updates
Samba Security Updates and Information
SAP - scn.sap.com/docs/DOC-8218
Sophos - sophos.com/support/knowledgebase
Symantec: Security Advisories
Websense - websense.com/content/support.aspx
FULL COVERAGE SOURCES - OTHER
HP: TippingPoint DVLabs
HP: TippingPoint Zero Day Initiative
MITRE CNA open-source requests
US-CERT: Technical Cyber Security Alerts
PARTIAL COVERAGE SOURCE - VENDOR RELATED
Android (associated with Google or Open Handset Alliance)
Apache Software Foundartion: Apache Tomcat
Apache Software Foundation: other
Check Point: checkpoint.com/defense/advisories/public/summary.html
Cisco: Release Note Enclosures (RNE)
FoxIt Support Center - Security Advisories
Google: other (not Chrome or Android)
IBM ISS X-Force for non-IBM products
IBM: issues not in IBM ISS X-Force Database
Juniper - JTAC Technical Bulletins
PHP core language interpreter
PARTIAL COVERAGE SOURCES - OTHER
Core Security CoreLabs
DOE JC3 (formerly DOE CIRC and CIAC)
HP: TippingPoint Pwn2Own
Juniper: J-Security Center - Threats and Vulnerabilities
Microsoft: Vulnerability Research (MSVR)
Symantec: SecurityFocus BugTraq (securityfocus.com/archive/1)
Symantec: SecurityFocus Bugtraq ID (securityfocus.com/bid)
United Kingdom CPNI (formerly NISCC)
US-CERT: Vulnerability Notes
David Mann | Principal Infosec Scientist | The MITRE Corporation
e-mail:firstname.lastname@example.org | cell:781.424.6003