|
|
|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Sources List and Some Updates
Folks, A couple of updates and then the first comprehensive draft of our sources list for your review and comments. We have been and are continuing to pursue the possibility of hosting a face-face meeting at Black Hat. Several moving pieces here and we'll let you all know as soon as we know. Either way, we'll definitely be hosting a teleconference to discuss things. Regarding several of the ideas that have been suggested recently (i.e. focusing on products, metrics, increasing CNA involvement, how to cover things like Linux): a) We are working on a list of "must have" products that we will be circulating soon. b) We are discussing the other issues internally and will have some further thoughts out soon. Thank you all for your input and engagement on this. And now, for the list of sources. We are grouping the sources into 2 major groups: those that should be "fully covered" and those that should be "partially covered". "Full Coverage" means that for nearly all issues disclosed by the source that could be associated with a CVE entry, there will be an associated CVE entry, regardless of the criticality of the issue. "Partial Coverage" means that the source will be actively monitored but issues will be processed and associated with CVE entries based on a variety of editorial judgments such as criticality. As a bridge to the products discussion, we've further sub-divided each of these lists into 2 sub-lists: "Vendor" and "Other". "Vendor" means the source can be associated with a vendor or primary maintainer of a product or set of products. "Other" is a catch-all for things like vulnerability databases, mailing lists and advisories from coordination centers, which tend to disclose vulnerability information from many different vendors. CAVEAT 1: We (MITRE) actively monitor many sources beyond this list. These sources include things like blogs from vulnerability researchers, conference proceedings and media outlets. The set of such sources that prove to be productive and useful to monitor changes on such a regular basis that we don't feel it would be useful to list them all out specifically. CAVEAT 2: We have demoted and promoted several sources based on our experience with them. We are happy to discuss adding or removing sources and promoting or demoting sources but, like many of you, we think we're getting to the point of needing to discuss verbally. In particular, it bears mentioning that we are specifically not monitoring some sources that have been mentioned. Some have disappeared or have been rolled into other sources and some are behind "pay walls" and thus are not considered publicly disclosed. Examples include (but are not limited to) the old CERT-CC Advisories and VUPEN. FULL COVERAGE SOURCES - VENDOR RELATED ====================================== Adobe Apache Software Foundation: Apache HTTP Server Apple Attachmate: Novell Attachmate: SUSE Blue Coat - kb.bluecoat.com CA - support.ca.com Check Point: Security Gateways product line (supportcenter.checkpoint.com) Cisco: Security Advisories/Responses Citrix - support.citrix.com Debian Dell Desktop/Notebook product lines Dell SonicWALL Network Security product line - Service Bulletins EMC, as published through Bugtraq F5 - support.f5.com Fortinet FortiGate product line (kb.fortinet.com) Fujitsu Desktop/Notebook product lines Google: Google Chrome (includes WebKit) HP: Security Bulletins IBM: issues in IBM ISS X-Force Database Internet Systems Consortium (ISC) Juniper: juniper.net/customers/support (JunOS?) Lenovo Desktop/Notebook product lines McAfee - kc.mcafee.com Microsoft: Security Bulletins/Advisories MIT Kerberos Mozilla OpenSSH OpenSSL Oracle: Critical Patch Updates RealNetworks (real.com) Red Hat RIM/BlackBerry- blackberry.com/btsc Samba Security Updates and Information SAP - scn.sap.com/docs/DOC-8218 Sendmail Sophos - sophos.com/support/knowledgebase Symantec: Security Advisories Ubuntu (Linux) VMware Websense - websense.com/content/support.aspx FULL COVERAGE SOURCES - OTHER ============================= HP: TippingPoint DVLabs HP: TippingPoint Zero Day Initiative ICS-CERT: ADVISORY MITRE CNA open-source requests US-CERT: Technical Cyber Security Alerts VeriSign iDefense PARTIAL COVERAGE SOURCE - VENDOR RELATED ======================================== Android (associated with Google or Open Handset Alliance) Apache Software Foundartion: Apache Tomcat Apache Software Foundation: other CentOS Check Point: checkpoint.com/defense/advisories/public/summary.html Cisco: Release Note Enclosures (RNE) Drupal Fedora FoxIt Support Center - Security Advisories FreeBSD Gentoo (Linux) Google: other (not Chrome or Android) IBM ISS X-Force for non-IBM products IBM: issues not in IBM ISS X-Force Database Joomla! Juniper - JTAC Technical Bulletins kernel.org Mandriva NetBSD OpenBSD PHP core language interpreter SCO TYPO3 WordPress PARTIAL COVERAGE SOURCES - OTHER ================================ attrition.org/pipermail/vim AusCERT Core Security CoreLabs DOE JC3 (formerly DOE CIRC and CIAC) Full Disclosure HP: TippingPoint Pwn2Own http://www.exploit-db.com/ ICS-CERT: ALERT Juniper: J-Security Center - Threats and Vulnerabilities Microsoft: Vulnerability Research (MSVR) oss-security OSVDB Packet Storm Rapid7 Metasploit Secunia SecuriTeam SecurityTracker Symantec: SecurityFocus BugTraq (securityfocus.com/archive/1) Symantec: SecurityFocus Bugtraq ID (securityfocus.com/bid) United Kingdom CPNI (formerly NISCC) US-CERT: Vulnerability Notes -Dave ================================================================== David Mann | Principal Infosec Scientist | The MITRE Corporation ------------------------------------------------------------------ e-mail:damann@mitre.org | cell:781.424.6003 ==================================================================
|
||||
