[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Update Disclosure Sources List - Please Vote!

[resending due to bounces, and re-edited slightly]

On Thu, 6 Oct 2011, Kent_Landfield@McAfee.com wrote:

> Government Information Sources
>  Ignore - US-CERT Bulletins (aka Cyber-Notes)

These are directly populated from NVD, so assuming NVD continues to be
populated by CVE, these by definition should be ignored unless we want to 
go into some infinitely-recursive loop ;-)

>  Ignore - DoD IAVAs

These are not public, so even referencing them is probably an information 
leak of some kind that DoD probably doesn't want.  Note, however, that 
MITRE's CVE team regularly receives requests for IAVA mappings (maybe the 
IAVA people could handle that?)

> Mailing Lists & VDBs
>  Must Have - Bugtraq

We currently monitor but don't guarantee coverage.

>  Nice to Have - Full Disclosure

There's often too much noise with the flame wars and all, so we don't 
actively monitor (though there are some important disclosures there, but 
we pick them up from other VDBs.)

>    Ignore - Security Focus

If you're talking about BID - note that this is one of the more common
cross-references used in the industry.

>  Must Have - OSVDB

Note that OSVDB tries to capture every vulnerability report, even if from a
small changelog entry with 6 words in it, with very little analysis and
often only a title and a couple references.  They are still actively
pursuing the "cover everything" dream.  Brian Martin and I could talk for
days on the evolving synergies between CVE and OSVDB.  At this stage of the
vuln information industry, OSVDB is on the extreme end of trying to cover
everything, including vulns from the 1960's, voting systems, etc.

>  Must Have - FRSIRT  (VUPEN)

VUPEN stopped publishing their advisories to non-government people a few
months ago.  They are no longer covered because they aren't public. (We also
have 20,000 (yes, thousand) broken links in CVE's current data now that
their DB has disappeared, but that's a different story and a not-uncommon

>  Nice to Have - Oss-security

FYI, these days, I would guess that about 85% of oss-security is related 
to CVE assignment requests, so it's "must have" due to other criteria of 
covering CNAs (thanks to Red Hat for handling oss-security requests.)

- Steve

Page Last Updated or Reviewed: November 06, 2012