RE: CVE Information Sources & Scope

["Williams, James K" <James.Williams@ca.com>]

Comments inline. Feel free to contact me if you have any questions or comments about my assignments.

Thanks and regards,
Ken Williams, Director
CA Technologies Product Vulnerability Response Team
CA Technologies Business Unit Operations
wilja22@ca.com - 816-914-4225

-----Original Message-----
From: owner-cve-editorial-board-list@lists.mitre.org [mailto:owner-cve-editorial-board-list@lists.mitre.org] On Behalf Of Mann, Dave
Sent: Tuesday, October 04, 2011 9:40 AM
To: cve-editorial-board-list
Subject: CVE Information Sources & Scope

Folks,

I've been away at a conference and just back so thought I would nudge the conversation regarding CVE forward.

We really need to push further on questions of scope before we can talk about staffing, speed and quality issues.

Below (under my sig file) is a list of possible information sources that CVE could use.  This list is not meant to be complete, or even framed in the most helpful way.   But, I want to get some form of specifics out to foster more discussion.

I've organized this into 4 groups: Government Information Sources, CNA Published Information, Non-CNA Vendor Advisories, Mailing Lists & VDBs.

Please review each sub-list and categorize each information source as:
+ must have
+ nice to have
+ should be ignored

The yard-stick by which to consider these is, does CVE need to capture vulnerabilities from this source in order to full-fill its charter?

Also, if you see any "must have" or "nice to have"  information source, please add them to the list and 


-Dave
==================================================================
David Mann | Principal Infosec Scientist | The MITRE Corporation
------------------------------------------------------------------
e-mail:damann@mitre.org | cell:781.424.6003 ==================================================================


Government Information Sources
+ must have  US-CERT Advisories (aka CERT-CC Advisories)
+ must have  US-CERT Vulnerability Notes (CERT-CC)
+ must have  US-CERT Bulletins (aka Cyber-Notes)
+ must have  DoD IAVAs
+ nice to have  NISCC
+ nice to have  AUS-CERT
+ nice to have  CIAC


CNA Published Information
+ must have  CMU/CERT-CC
+ must have  Microsoft
+ must have  RedHat
+ nice to have  Debian
+ must have  Apache
+ must have  Apple OSX
+ must have  Oracle

  
Non-CNA Vendor Advisories
+ must have  Solaris 
+ must have  Suse 
+ must have  Mandriva
+ must have  HP-UX
+ should be ignored  SCO
+ must have  AIX
+ must have  Cisco IOS
+ must have  Free BSD
+ must have  Open BSD
+ must have  Net BSD
+ must have  Gentoo (Linux)
+ must have  Ubuntu (Linux)



Mailing Lists & VDBs
+ must have  Bugtraq
+ should be ignored  Vuln-Watch 
+ should be ignored  VulnDev
+ must have  Full Disclosure
+ must have  Security Focus
+ must have  Security Tracker
+ must have  OSVDB
+ nice to have  ISS X-Force
+ nice to have  FRSIRT
+ must have  Secunia
+ must have  Packet Storm
+ nice to have  SecuriTeam
+ should be ignored  SANS Mailing List (Qualys)
+ should be ignored  Neohapsis (Security Threat Watch)