Re: Update Disclosure Sources List - Please Vote!

[Art Manion <amanion@cert.org>]

On 2011-10-11 15:58 , Mann, Dave wrote:
>> From: Kent_Landfield@McAfee.com [mailto:Kent_Landfield@McAfee.com]
>> Non-OS venders should be included
>> Specifically Desktop products that are commonly seen in both corporate and
>> consumer systems
> 
> Can you name names?  That's a potentially very large list.
> 
> Would it be worth combining this with a numeric qualifier?  Say, desktop products that produce more than 10 disclosures a year? (pulling that number out of the air)

Not speaking for Kent:  Adobe, popular browser vendors, things that
parse video/images/audio, Microsoft (already covered), office suites,
maybe popular chat software...  I'm probably missing something.

>> 2.  Nice to have
>>    *   ZDI
>>    *   Exploit-DB
>>    *   MSVR - Microsoft Vulnerability Research Advisories
>>    *   iDefense
>>    *   cisco-sa-xxxxxxxx-xxx (Cisco Security Advisories)
>>    *   Htxxxx (Apple)
>>    *   VMSA (Vmware Security Advisories)
>>    *   CNVD (China National Vulnerability Database)
>>    *   Metasploit Module Ids
> 
> Some of these are behind pay-walls, no?
> 
> CVE charter is to provide ids for "publicly available" vulnerabilities.  
> 
> I don't consider things behind pay-walls as publicly available.  My mind could be changed on that but it would need to be a good argument.

I think it's reasonable to stick with publicly available.  The stuff
behind the pay walls usually/eventually comes out, then it can get a CVE
ID.  The discloser might even be a CNA, or at least request CVE IDs as
the vuls come out publicly.  I wouldn't suggest trying to track hints
about upcoming releases or non-public vuls -- costly and inaccurate.


 - Art