[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Updating the Products and Sources list.



So which of these products / vendors have associated CNAs that should already be covered and are outside of MITREs direct assignment responsibility? Could the list be enriched with that information?

If we have CNAs for specific areas/items then we need to identify them. I have been under the impression the products / sources lists were for MITREs use directly.
---
Kent Landfield
+1.817.637.8026

From: <owner-cve-editorial-board-list@lists.mitre.org<mailto:owner-cve-editorial-board-list@lists.mitre.org>> on behalf of "Evans, Jonathan L." <jevans@mitre.org<mailto:jevans@mitre.org>>
Date: Thursday, January 7, 2016 at 2:00 PM
To: cve-editorial-board-list <cve-editorial-board-list@lists.mitre.org<mailto:cve-editorial-board-list@lists.mitre.org>>
Subject: Updating the Products and Sources list.

All,

Several years have passed since the creation of the Products and Sources list (http://cve.mitre.org/data/board/archives/2012-09/msg00000.html), which MITRE uses to prioritize CVE coverage. Since that time, products have changed names, the importance of products have changed, sources have come and gone, etc.  It is well past time for an update.  MITRE is seeking the Editorial Boards guidance on what the updated list should contain.  We have included a new proposed list below to kick off the discussion.

When we went through this process in 2012, MITRE was looking for advice on prioritization of CVE processing, so we focused on the sources we use to create the CVEs.  This time, we want help with prioritizing both reservation request processing and CVE processing.  Since we rarely know the source the requester will use at the time of reservation but we often, though not always, know the product, our proposed updates consist largely of new products.  The sources section still needs updating but we think focusing on products will provide the largest impact for the effort.

Along with the expanded product list, we included a more granular prioritization system.  On the current list, the priorities are "Must Have" and everything else.  We believe there are products that fall between these priorities, and we feel it would help MITRE and the community at large if we make our prioritization explicit.  We have broken down the new list using the following priority tiers:
Tier 1: Must Cover - This tier is the same as the current "Must Have" category.  Products in this class should be widely used and likely to be targeted by attackers.
Tier 2: Should Cover - Products in this tier should be covered, but full coverage is not required.  Products in this tier should have wide distribution.
Tier 3: Can Cover - These products are nice to have.  Products in this list have a more limited distribution or have some other mitigating factor.
Tier 4: May Not Cover - This tier contains products that are not named on the list.  These products are given the lowest priority.
Tier 5: Must Not Cover - Products that should not be assigned a CVE are included in this tier.  We are not proposing any additions to this tier other than site-specific products, which have been long established as outside the scope of CVE.

Please note that packaging approaches in Linux distributions still present challenges for prioritization.  The definition of coverage for Linux vendors that the Editorial Board previously agreed upon was to publish CVEs for every vulnerability in every package the vendor supports.  This means that by covering Debian, we must also cover the vulnerabilities in products like 0ad, a real-time strategy game.  We don't think that such products should be given the same kind of attention as products like tar or curl.  However, the sheer number of packages Linux vendors support (e.g., according to Wikipedia, Debian has 56,864 packages) make prioritizing them individually prohibitive, and we don't think it is worth the Board's time.  We don't have a good way of prioritizing coverage of Linux packages, so we greatly encourage any suggestions from those who do.

As I said earlier in this email, everything mentioned here is simply to start the conversation.  MITRE relies on the Board's guidance, and we fully expect there to be many revisions to our proposal.

-
Jonathan Evans
CVE Content Technical Lead
The MITRE Corporation

------------------------

TIER 1 - MUST COVER
        Adobe
        Alcatel-Lucent
        Apache Software Foundation: Apache HTTP Server
        Apple
        CA Technologies
        Check Point: Security Gateways product line
        Cisco
        Citrix
        EMC
        F5
        Fortinet: FortiGate product line
        F-Secure
        Google: Google Chrome
        Hewlett Packard Enterprise
        HP Inc.
        IBM
        Intel: McAfee
        Internet Systems Consortium (ISC)
        Juniper
        kernel.org: Linux kernel
        Microsoft
        MIT Kerberos
        Mozilla
        MySQL
        OpenLDAP
        OpenSSH
        OpenSSL
        Oracle
        PHP
        Pulse Secure (formerly Juniper Junos)
        SAP
        Sendmail
        Sophos
        Symantec
        VMware
        WebKit
        WordPress
        Xen

TIER 2 - SHOULD COVER
        A10 Networks
        Adtran
        AMD
        Android (associated with Google or Open Handset Alliance)
        Arista Networks
        Aruba Networks
        Atlassian
        Attachmate: Novell
        Avast
        Avaya
        Barracuda Networks
        Bitdefender
        Blue Coat
        Dell: Desktop/Notebook product lines
        Dell: SonicWALL Network Security product line
        Drupal
        ESET
        Fortinet
        Fujitsu: Desktop/Notebook product lines
        Good for Enterprise
        Grails
        Groovy
        Intel
        Joomla!
        Kaspersky Lab
        Lenovo: general-purpose computers, software for general-purpose
                operating systems, mobile devices, enterprise storage and networking
                products
        LibreOffice
        LibreSSL
        Nvidia
        OpenStack
        Opera
        Palo Alto Networks
        Panda Security
        Perl
        Pivotal
        Python
        RealNetworks
        RIM/BlackBerry
        Ruby
        Samba
        Splunk
        Tenable Network Security
        Trend Micro
        TYPO3
        Veritas Software
        WatchGuard
        Webroot
        Websense

TIER 3 - CAN COVER
        Agilent
        AirWatch
        ARCserve
        b2evolution
        BMC
        Borland
        Brocade Communications Systems
        certificate-transparency
        Cloudera
        CMS Made Simple
        CommuniGate Pro
        Corel
        CoreMedia CMS
        Dart
        Dell: general-purpose computers and tablets, software for
                general-purpose operating systems, printers, enterprise storage and
                networking products
        django CMS
        docSTAR eclipse
        DokuWiki
        Dotclear
        DotCMS
        DotNetNuke
        Duo Security
        Ektron CMS
        Exponent CMS
        FirstSpirit
        Foswiki
        Foxit
        FreeSWITCH
        Geeklog
        Hitachi Information Technology products
        HTC
        Huawei
        iDirect
        ikiwiki
        ImpressPages
        Invision Power Suite
        Ipswitch
        knockoutjs.com Knockout
        LG: mobile devices
        Liferay
        LiteSpeed Web Server
        LogMeIn
        Magento
        MobileIron
        MODX
        MoinMoin
        Motorola Mobility: mobile devices
        Movable Type
        Mura CMS
        MyBB
        NaviServer
        NetApp
        NetBSD
        Nokia
        Novius OS
        OpenBSD
        OpenText FirstClass
        OpenXava
        Open-Xchange
        PhpWiki
        PivotX
        Play Framework
        Plone
        Pluck
        PmWiki
        polymer-project.org Polymer
        PowerMTA
        Resin
        Samsung: mobile devices
        SAS
        Scalix
        SDL Tridion
        Serendipity
        SilverStripe
        Sitecore Experience Platform
        SolarWinds
        Tibco
        Tiki
        TrueCrypt
        TWiki
        Ubiquiti Networks
        Umbraco
        vBulletin
        VeraCrypt
        WinZip
        Workshare
        XOOPS
        Zikula
        Zimbra Collaboration Suite

TIER 4 - MAY NOT COVER
        Any product not specified in any other tier.

TIER 5 - MUST NOT Cover
        Site-specific products, e.g. google.com

Unspecified - The vendors in this section support products that have a varying degrees of importance.
        Apache Software Foundation: All
        Attachmate: SUSE
        CentOS
        Debian
        Fedora
        FreeBSD
        Gentoo (Linux)
        openSUSE
        Red Hat
        Ubuntu


Page Last Updated or Reviewed: January 08, 2016