[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Vendor mapping NDA is ready

Vendors/database owners:

The nondisclosure agreement for tool/database mappings is ready.  I
will email it to you under separate cover (it's in Word format).

I'd like to get a notion of how far along each vendor is with respect
to generating your vulnerability lists (with your own vulnerability
ID's).  For the benefit of the vendors who've recently joined, I've
included a description below of what sorts of data would help me (and
you) create the most useful mappings.

- Steve

It would be best for you to provide me with an "annotated"
vulnerability list for your tool.  This will allow you to link back to
your own internal databases more easily.  As a reminder:

>2) For the mappings to be most effective, I need to obtain an
>up-to-date vulnerability list from you for your tool(s), in the
>following format (or as close as possible):
>  - a single line per vulnerability (or, multiple line entries
>    separated by a carriage return)
>  - short text description for the vulnerability (single line "short
>    descriptions, or 3-5 lines; worst case, the full description)
>    part of the vulnerability entry, but not required).  This
>    requirement is for your benefit - most vulnerability lists I
>    used don't have the vendor's vulnerability ID associated with it,
>    so you would have had to match up CVE numbers to your text
>    descriptions.  Whatever ID you use is fine, as long as it allows
>    you to get back to the information you need.
>  - list references (preferred, not required; this helps narrow the
>    search and increases accuracy)
>Here are some example entries (a la X-force database, where the first
>word in the line is the X-Force vulnerability name):
>aix-infod AIX infod vulnerability allows local user to gain root
>bnu-uucpd-bo BNU uucpd contains a buffer overflow which allows a local
>user to execute arbitrary commands as root.
>smtp-875bo Sendmail 8.7.5 stack BO

Feel free to email me this information once you have obtained it, and
I will create the appropriate mappings.  The mappings should be ready
soon after you have signed the NDA's on your end.

If you cannot provide such a list, then a simpler list (e.g. single
line descriptions that you might use in product literature) may be
fine - but it will be more inconvenient for you to link back to your

In the interest of fairness, I am willing to offer this "service" to
anyone on the Editorial Board (not just vendors) provided you can give
me a vulnerability list.

- Steve

Page Last Updated or Reviewed: May 22, 2007