[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Update Disclosure Sources List - Please Vote!

On Wed, 5 Oct 2011, Williams, James K wrote:

> http://www.webappsec.org/lists/websecurity/archive/
> Notes: mostly noise, but rare vuln disclosures do occur

In these cases, it may be more reasonable to depend on "inheriting" 
coverage from the other vuln DBs.

> http://www.linuxsecurity.com/
> Notes: Central resource for major linux vendors, but would be better to 
> monitor vendor directly

I agree with that.

> http://www.immunityinc.com/ceu-index.shtml
> Notes: Regularly post fresh or zero day exploit info, but must have 
> subscription

These then are "not public" and outside scope.  Several years ago, we went 
through a phase where we tried to cover paid exploit packs e.g. from 
Evgeny or CANVAS, but there is so little public information that the risk 
of dupes seemed too high.

> http://aluigi.altervista.org/
> Notes: very prolific vuln researcher, worth monitoring directly due to 
> volume

Luigi is getting extra attention these days because of his SCADA exploits.

> http://www.coresecurity.com/content/core-impact-pro-security-updates
> Notes: Occasionally post fresh or zero day exploit info, but must have 
> subscription

CORE is one of a relatively small number of researcher CNAs (including 
Secunia) for their own advisories, so they should be "must have".

- Steve

Page Last Updated or Reviewed: November 06, 2012