[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: CVE Must-Have Coverage

Tracking vulnerabilities in the following would be good, too, as their use is spread quite widely:
ISC Bind / dhcpd
potentially other core technologies, such as zlib, which have low frequency vulnerabilities, but wide impact.

Also, perhaps something to track things zero day-ish  things that aren't reported to vendors:

My 2 cents. 

On Oct 11, 2011, at 3:03 PM, Mann, Dave wrote:


Below, please find a somewhat stabilizing set of vulnerability sources.

I've tried to capture the best consensus (not pure votes but close).

Please review the list and holler loudly and quickly if you see something you can't live with.   This is a living document so nothing is cast in stone.  Still gaining a level of agreement on the scope is a necessary first step.

I'm particularly concerned at the almost complete lack of desktop or enterprise software packages being called out by vendor.

Some are listed but by no means the majority.  The implication to me is that we're very much relying on non-vendor sources to shed light on these types of software.

David Mann | Principal Infosec Scientist | The MITRE Corporation
e-mail:damann@mitre.org | cell:781.424.6003


Government & Related Information Sources
 Must Have
   US-CERT Advisories (aka CERT-CC Advisories)
   US-CERT Vulnerability Notes (CERT-CC)
   US-CERT Bulletins (aka Cyber-Notes)   
   DoD IAVAs                             
 Nice To Have
   DOE CIRC (formerly CIAC)               

Vendor Published Information
 Must Have
   Apple OSX                                   
   Cisco IOS                                   
   Free BSD                                    
   Open BSD                                    
   Net BSD                                     
   Gentoo (Linux)                              
   Ubuntu (Linux)                              
   Google Chrome
 Nice To Have  

Mailing Lists & VDBs
 Must Have
   Full Disclosure                             
   Security Focus                              
   Security Tracker                            
 Nice To Have
   ISS X-Force                                 
   FRSIRT  (VUPEN)                             
   Packet Storm                                
   SANS Mailing List (Qualys)                  ]
   Neohapsis (Security Threat Watch)           

This is a digitally signed message part

Page Last Updated or Reviewed: November 06, 2012