[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Updating the Products and Sources list.

Kent,

All products can fall within MITRE's direct assignment responsibility because participation of an external CNA is not required in the case of a vulnerability that is already public. Also, MITRE sometimes assigns IDs when a CNA chooses not to. For example, some CNAs choose not to assign CVE IDs if they are no longer supporting the product.

-
Jonathan Evans
CVE Content Technical Lead
The MITRE Corporation

> -----Original Message-----
> From: Landfield, Kent B [mailto:kent.b.landfield@intel.com]
> Sent: Thursday, January 07, 2016 4:38 PM
> To: Evans, Jonathan L. <jevans@mitre.org>; cve-editorial-board-list <cve-
> editorial-board-list@lists.mitre.org>
> Subject: Re: Updating the Products and Sources list.
> 
> So which of these products / vendors have associated CNAs that should already
> be covered and are outside of MITRE's direct assignment responsibility? Could
> the list be enriched with that information?
> 
> If we have CNAs for specific areas/items then we need to identify them. I have
> been under the impression the products / sources lists were for MITRE's use
> directly.
> ---
> Kent Landfield
> +1.817.637.8026
> 
> From: <owner-cve-editorial-board-list@lists.mitre.org<mailto:owner-cve-
> editorial-board-list@lists.mitre.org>> on behalf of "Evans, Jonathan L."
> <jevans@mitre.org<mailto:jevans@mitre.org>>
> Date: Thursday, January 7, 2016 at 2:00 PM
> To: cve-editorial-board-list <cve-editorial-board-list@lists.mitre.org<mailto:cve-
> editorial-board-list@lists.mitre.org>>
> Subject: Updating the Products and Sources list.
> 
> All,
> 
> Several years have passed since the creation of the Products and Sources list
> (http://cve.mitre.org/data/board/archives/2012-09/msg00000.html), which
> MITRE uses to prioritize CVE coverage. Since that time, products have changed
> names, the importance of products have changed, sources have come and gone,
> etc.  It is well past time for an update.  MITRE is seeking the Editorial Board's
> guidance on what the updated list should contain.  We have included a new
> proposed list below to kick off the discussion.
> 
> When we went through this process in 2012, MITRE was looking for advice on
> prioritization of CVE processing, so we focused on the sources we use to create
> the CVEs.  This time, we want help with prioritizing both reservation request
> processing and CVE processing.  Since we rarely know the source the requester
> will use at the time of reservation but we often, though not always, know the
> product, our proposed updates consist largely of new products.  The sources
> section still needs updating but we think focusing on products will provide the
> largest impact for the effort.
> 
> Along with the expanded product list, we included a more granular prioritization
> system.  On the current list, the priorities are "Must Have" and everything else.
> We believe there are products that fall between these priorities, and we feel it
> would help MITRE and the community at large if we make our prioritization
> explicit.  We have broken down the new list using the following priority tiers:
> Tier 1: Must Cover - This tier is the same as the current "Must Have" category.
> Products in this class should be widely used and likely to be targeted by attackers.
> Tier 2: Should Cover - Products in this tier should be covered, but full coverage is
> not required.  Products in this tier should have wide distribution.
> Tier 3: Can Cover - These products are nice to have.  Products in this list have a
> more limited distribution or have some other mitigating factor.
> Tier 4: May Not Cover - This tier contains products that are not named on the list.
> These products are given the lowest priority.
> Tier 5: Must Not Cover - Products that should not be assigned a CVE are included
> in this tier.  We are not proposing any additions to this tier other than site-specific
> products, which have been long established as outside the scope of CVE.
> 
> Please note that packaging approaches in Linux distributions still present
> challenges for prioritization.  The definition of coverage for Linux vendors that the
> Editorial Board previously agreed upon was to publish CVEs for every vulnerability
> in every package the vendor supports.  This means that by covering Debian, we
> must also cover the vulnerabilities in products like 0ad, a real-time strategy game.
> We don't think that such products should be given the same kind of attention as
> products like tar or curl.  However, the sheer number of packages Linux vendors
> support (e.g., according to Wikipedia, Debian has 56,864 packages) make
> prioritizing them individually prohibitive, and we don't think it is worth the Board's
> time.  We don't have a good way of prioritizing coverage of Linux packages, so we
> greatly encourage any suggestions from those who do.
> 
> As I said earlier in this email, everything mentioned here is simply to start the
> conversation.  MITRE relies on the Board's guidance, and we fully expect there to
> be many revisions to our proposal.
> 
> -
> Jonathan Evans
> CVE Content Technical Lead
> The MITRE Corporation
> 
> ------------------------
> 
> TIER 1 - MUST COVER
>         Adobe
>         Alcatel-Lucent
>         Apache Software Foundation: Apache HTTP Server
>         Apple
>         CA Technologies
>         Check Point: Security Gateways product line
>         Cisco
>         Citrix
>         EMC
>         F5
>         Fortinet: FortiGate product line
>         F-Secure
>         Google: Google Chrome
>         Hewlett Packard Enterprise
>         HP Inc.
>         IBM
>         Intel: McAfee
>         Internet Systems Consortium (ISC)
>         Juniper
>         kernel.org: Linux kernel
>         Microsoft
>         MIT Kerberos
>         Mozilla
>         MySQL
>         OpenLDAP
>         OpenSSH
>         OpenSSL
>         Oracle
>         PHP
>         Pulse Secure (formerly Juniper Junos)
>         SAP
>         Sendmail
>         Sophos
>         Symantec
>         VMware
>         WebKit
>         WordPress
>         Xen
> 
> TIER 2 - SHOULD COVER
>         A10 Networks
>         Adtran
>         AMD
>         Android (associated with Google or Open Handset Alliance)
>         Arista Networks
>         Aruba Networks
>         Atlassian
>         Attachmate: Novell
>         Avast
>         Avaya
>         Barracuda Networks
>         Bitdefender
>         Blue Coat
>         Dell: Desktop/Notebook product lines
>         Dell: SonicWALL Network Security product line
>         Drupal
>         ESET
>         Fortinet
>         Fujitsu: Desktop/Notebook product lines
>         Good for Enterprise
>         Grails
>         Groovy
>         Intel
>         Joomla!
>         Kaspersky Lab
>         Lenovo: general-purpose computers, software for general-purpose
>                 operating systems, mobile devices, enterprise storage and networking
>                 products
>         LibreOffice
>         LibreSSL
>         Nvidia
>         OpenStack
>         Opera
>         Palo Alto Networks
>         Panda Security
>         Perl
>         Pivotal
>         Python
>         RealNetworks
>         RIM/BlackBerry
>         Ruby
>         Samba
>         Splunk
>         Tenable Network Security
>         Trend Micro
>         TYPO3
>         Veritas Software
>         WatchGuard
>         Webroot
>         Websense
> 
> TIER 3 - CAN COVER
>         Agilent
>         AirWatch
>         ARCserve
>         b2evolution
>         BMC
>         Borland
>         Brocade Communications Systems
>         certificate-transparency
>         Cloudera
>         CMS Made Simple
>         CommuniGate Pro
>         Corel
>         CoreMedia CMS
>         Dart
>         Dell: general-purpose computers and tablets, software for
>                 general-purpose operating systems, printers, enterprise storage and
>                 networking products
>         django CMS
>         docSTAR eclipse
>         DokuWiki
>         Dotclear
>         DotCMS
>         DotNetNuke
>         Duo Security
>         Ektron CMS
>         Exponent CMS
>         FirstSpirit
>         Foswiki
>         Foxit
>         FreeSWITCH
>         Geeklog
>         Hitachi Information Technology products
>         HTC
>         Huawei
>         iDirect
>         ikiwiki
>         ImpressPages
>         Invision Power Suite
>         Ipswitch
>         knockoutjs.com Knockout
>         LG: mobile devices
>         Liferay
>         LiteSpeed Web Server
>         LogMeIn
>         Magento
>         MobileIron
>         MODX
>         MoinMoin
>         Motorola Mobility: mobile devices
>         Movable Type
>         Mura CMS
>         MyBB
>         NaviServer
>         NetApp
>         NetBSD
>         Nokia
>         Novius OS
>         OpenBSD
>         OpenText FirstClass
>         OpenXava
>         Open-Xchange
>         PhpWiki
>         PivotX
>         Play Framework
>         Plone
>         Pluck
>         PmWiki
>         polymer-project.org Polymer
>         PowerMTA
>         Resin
>         Samsung: mobile devices
>         SAS
>         Scalix
>         SDL Tridion
>         Serendipity
>         SilverStripe
>         Sitecore Experience Platform
>         SolarWinds
>         Tibco
>         Tiki
>         TrueCrypt
>         TWiki
>         Ubiquiti Networks
>         Umbraco
>         vBulletin
>         VeraCrypt
>         WinZip
>         Workshare
>         XOOPS
>         Zikula
>         Zimbra Collaboration Suite
> 
> TIER 4 - MAY NOT COVER
>         Any product not specified in any other tier.
> 
> TIER 5 - MUST NOT Cover
>         Site-specific products, e.g. google.com
> 
> Unspecified - The vendors in this section support products that have a varying
> degrees of importance.
>         Apache Software Foundation: All
>         Attachmate: SUSE
>         CentOS
>         Debian
>         Fedora
>         FreeBSD
>         Gentoo (Linux)
>         openSUSE
>         Red Hat
>         Ubuntu
Page Last Updated or Reviewed: January 18, 2016