Re: CVE Information Sources & Scope

[Tom Stracener <strace@gmail.com>]

Dave, Board,

My take on this:

Government Information Sources
+ must have  US-CERT Advisories (aka CERT-CC Advisories)
+ must have  US-CERT Vulnerability Notes (CERT-CC)
+ must have  US-CERT Bulletins (aka Cyber-Notes)
+ must have  DoD IAVAs
+ nice to have  NISCC
+ nice to have  AUS-CERT
+ nice to have  CIAC

CNA Published Information
+ must have  CMU/CERT-CC
+ must have  Microsoft
+ must have  RedHat
+ nice to have  Debian
+ must have  Apache
+ must have  Apple OSX
+ must have  Oracle

Non-CNA Vendor Advisories
+ must have  Solaris
+ must have  Suse
+ must have  Mandriva
+ must have  HP-UX
+ should be ignored  SCO
+ must have  AIX
+ must have  Cisco IOS
+ must have  Free BSD
+ must have  Open BSD
+ must have  Net BSD
+ must have  Gentoo (Linux)
+ must have  Ubuntu (Linux)

Mailing Lists & VDBs
+ must have  Bugtraq
+ should be ignored  Vuln-Watch
+ should be ignored  VulnDev
+ nice to have  Full Disclosure
+ must have  Security Focus
+ must have  Security Tracker
+ nice to have  OSVDB
+ nice to have  ISS X-Force
+ nice to have  FRSIRT
+ nice to have  Secunia
+ should be ignored  Packet Storm
+ nice to have  SecuriTeam
+ should be ignored  SANS Mailing List (Qualys)
+ should be ignored  Neohapsis (Security Threat Watch)