[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Distribution of mappings to vendors/others - opinions please
- To: cve-review@linus.mitre.org
- Subject: Distribution of mappings to vendors/others - opinions please
- From: "Steven M. Christey" <coley@linus.mitre.org>
- Date: Thu, 13 May 1999 18:57:09 -0400 (EDT)
This could be a touchy subject, so I've tried to word things carefully. Does anybody who is NOT a vendor have a problem with me giving each vendor my mappings, only for their own tools? There may be a concern that the vendors could use these mappings for "marketing purposes" earlier than they are "supposed to" (e.g. before public release.) Would the vendors be able to guarantee that these mappings wouldn't be used for any marketing purposes, at least before public release of the CVE? Note that this particular issue may be a touchy one with my management, so everyone's input will go a long way. I recognize that giving the vendors my current mappings for their tools would reduce duplicate efforts, and help them to more efficiently assess how the CVE may apply to their databases. It is my opinion that MITRE should respect the vendors' requests for "privacy" in limiting the distribution of unreviewed mappings to their tools. However, I know that this might not appear entirely kosher to others. Each of my mappings dates to around February. About 100 CVE vulnerabilities are shared across all/most tools, so we could do a "sub-mapping" if people have problems with me providing the entire mappings. The entire mappings are between 50% and 80% complete with respect to the current CVE version. They have some inaccuracies due to incomplete descriptive text in the vulnerability lists. I have mappings for ISS Internet Scanner, Real Secure, and System Security Scanner, Netect HackerShield, Axent NetRecon (without their own vulnerability ID's), an old version of NetSonar, and CyberCop Scanner. In the spirit of fairness and efficiency, I would be willing to offer a "mapping service" to others in this input forum who have their own vulnerability databases, provided you can give me a text dump of the database's descriptive text and its identifier (if any). I'm familiar enough with the CVE and the advanced mapping script to be able to create a reasonable mapping in a few hours (assuming the database has similar content for the CVE). Of course, the long term maintenance of the mappings will be the database owner's responsibility, as Dave indicated on Sunday. To the non-ISS vendors, note that because I utilized the X-Force database during CVE research, there are already a lot of references in there that implicitly form a partial mapping, although ISS has explicitly NOT utilized this information yet. - Steve
- Prev by Date: RE: Methods for validating the current CVE
- Next by Date: Re: Candidate numbering scheme
- Prev by thread: RE: Candidate numbering scheme
- Next by thread: Administravia
- Index(es):
