|
|
|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] REMINDER: Board Telecon - Wed, Oct 31, 1-2pm Eastern
Folks, A reminder that we will be hosting a teleconference and with a web broadcast briefing on Wednesday. Please re-review the products and sources list (after my sig) as this will be the first issue on the agenda. Due to the length of the list, it won't be practical to display in a briefing slide. Please refer to this email (or the email sent out on 9/26) during the discussion. Here is a reminder of the dial-in and web information: TO ATTEND THE AUDIO CONFERENCE: Dial 781-271-6338 (x16338) from the Bedford, MA region. Dial 703-983-6338 (x36338) from the Washington DC region, Nationally or Internationally. Meeting ID: 258369 Meeting Password: 147258369 TO ATTEND THE MeetingPlace Web Collaboration CONFERENCE: 1. Go to: http://audioconference.mitre.org 2. Enter 258369 into the empty field and click Attend Meeting. - Accept any security warnings you receive and wait for the Meeting Room to initialize. 3. If MeetingPlace Collaboration Window does not automatically open, press connect. -Dave ================================================================== David Mann | Principal Infosec Scientist | The MITRE Corporation ------------------------------------------------------------------ e-mail:damann@mitre.org | cell:781.424.6003 ================================================================== ===== CVE COVERAGE GOALS ===== CVE's coverage goals are stated in terms of "sources" of information (e.g. web sites, vendor advisories, vulnerability databases) and "products" (e.g. Microsoft Office, Red Hat Enterprise Linux). ===== SOURCES ===== We separate sources into 2 major groups: - Those that should be fully covered ("Full Coverage") - Those that should be partially covered ("Partial Coverage") "Full Coverage" means that for nearly all issues disclosed by the source that could be associated with a CVE entry, there will be an associated CVE entry, regardless of the criticality of the issue. Although a source is named as "Full Coverage," we purposely use the phrasing "nearly all issues disclosed" to allow the flexibility to potentially postpone coverage of minor issues. "Partial Coverage" means that the source will be actively monitored but issues will be processed and associated with CVE entries based on a variety of editorial judgments. As a bridge to the product coverage goals, we further sub-divide each of these lists into 2 sub-lists: - "Vendor," meaning the source can be associated with a vendor or primary maintainer of a product or set of products. - "Other," a catch-all for things like vulnerability databases, mailing lists and advisories from coordination centers, which tend to disclose vulnerability information from many different vendors. PLEASE NOTE: MITRE actively monitors many sources beyond this list. These sources include things like blogs from vulnerability researchers, conference proceedings and media outlets. Monitoring this set of sources has proven to be productive for and informative to the CVE analysts. Which sources are of most utility is highly dependent on a given situation. As such, we don't believe it of general utility to list them all specifically. ----- FULL COVERAGE SOURCES - VENDOR RELATED ----- Adobe Apache Software Foundation: Apache HTTP Server Apple Attachmate: Novell Attachmate: SUSE Blue Coat - kb.bluecoat.com CA - support.ca.com Check Point: Security Gateways product line (supportcenter.checkpoint.com) Cisco: Security Advisories/Responses Citrix - support.citrix.com Debian Dell Desktop/Notebook product lines Dell SonicWALL Network Security product line - Service Bulletins EMC, as published through Bugtraq F5 - support.f5.com Fortinet FortiGate product line (kb.fortinet.com) Fujitsu Desktop/Notebook product lines Google: Google Chrome (includes WebKit) HP: Security Bulletins IBM: issues in IBM ISS X-Force Database Internet Systems Consortium (ISC) Juniper: juniper.net/customers/support (JunOS?) Lenovo Desktop/Notebook product lines McAfee - kc.mcafee.com Microsoft: Security Bulletins/Advisories MIT Kerberos Mozilla OpenSSH OpenSSL Oracle: Critical Patch Updates RealNetworks (real.com) Red Hat RIM/BlackBerry- blackberry.com/btsc Samba Security Updates and Information SAP - scn.sap.com/docs/DOC-8218 Sendmail Sophos - sophos.com/support/knowledgebase Symantec: Security Advisories Ubuntu (Linux) VMware Websense - websense.com/content/support.aspx ----- FULL COVERAGE SOURCES - OTHER ----- HP: TippingPoint DVLabs HP: TippingPoint Zero Day Initiative ICS-CERT: ADVISORY MITRE CNA open-source requests US-CERT: Technical Cyber Security Alerts VeriSign iDefense ------ PARTIAL COVERAGE SOURCE - VENDOR RELATED ------ Android (associated with Google or Open Handset Alliance) Apache Software Foundation: Apache Tomcat Apache Software Foundation: other CentOS Check Point: checkpoint.com/defense/advisories/public/summary.html Cisco: Release Note Enclosures (RNE) Drupal Fedora FoxIt Support Center - Security Advisories FreeBSD Gentoo (Linux) Google: other (not Chrome or Android) IBM ISS X-Force for non-IBM products IBM: issues not in IBM ISS X-Force Database Joomla! Juniper - JTAC Technical Bulletins kernel.org Mandriva NetBSD OpenBSD PHP core language interpreter SCO TYPO3 WordPress ------ PARTIAL COVERAGE SOURCES - OTHER ------ attrition.org/pipermail/vim AusCERT Core Security CoreLabs DOE JC3 (formerly DOE CIRC and CIAC) Full Disclosure HP: TippingPoint Pwn2Own http://www.exploit-db.com/ ICS-CERT: ALERT Juniper: J-Security Center - Threats and Vulnerabilities Microsoft: Vulnerability Research (MSVR) oss-security OSVDB Packet Storm Rapid7 Metasploit Secunia SecuriTeam SecurityTracker Symantec: SecurityFocus BugTraq (securityfocus.com/archive/1) Symantec: SecurityFocus Bugtraq ID (securityfocus.com/bid) United Kingdom CPNI (formerly NISCC) US-CERT: Vulnerability Notes ====== PRODUCTS ====== All products listed are considered to be "must have". This means that we will ensure that a CVE ID is issued for any public disclosure for the product provided that: a) the disclosure is publicly associated with the product with a reasonably recognizable variant of the product name (we are not going to entirely solve the product identification problem) b) the disclosure is published in at least one source that is listed as either "full coverage" or "partial coverage", per the list of sources above. Products are stated as "vendor: product name", where the product name may be a specific product, set of products or "all". ----- MUST-HAVE PRODUCTS ----- Adobe: all Apache Software Foundation: All Apple: all Attachmate: Novell Attachmate: SUSE Blue Coat: all CA: all Check Point: Security Gateways product line Cisco: all Citrix - support.citrix.com Debian: all Dell: Desktop/Notebook product lines Dell: SonicWALL Network Security product line EMC: all F5: all Fortinet: FortiGate product line Fujitsu: Desktop/Notebook product lines Google: Google Chrome (includes WebKit) HP: all IBM: all Internet Systems Consortium (ISC): Bind Juniper: all kernel.org (Linux kernal) Lenovo: Desktop/Notebook product lines McAfee: all Microsoft: all MIT Kerberos: all Mozilla: all MySQL: all OpenLDAP: all OpenSSH: all OpenSSL: all Oracle:all PHP: core language interpreter RealNetworks:all Red Hat: all RIM/BlackBerry: all Samba: all SAP: all Sendmail: all Sophos: all Symantec: all Ubuntu: all VMware: all Websense: all
|
||||
