Re: CVE Information Sources & Scope

[Adam Shostack <adam@homeport.org>]

I apologize, but I'm going to add to (must/should/ignore) a don't know
which I'll just indicate by a dash. 


Government Information Sources
must  US-CERT Advisories (aka CERT-CC Advisories)
must  US-CERT Vulnerability Notes (CERT-CC)
must   US-CERT Bulletins (aka Cyber-Notes)
-   DoD IAVAs 
-  NISCC
must  AUS-CERT
ignore  CIAC (My understanding is that CIAC advisories are
	sufficiently coordinated with CERT that the additional
	interface is not high return)


CNA Published Information
must  CMU/CERT-CC
must  Microsoft
must  RedHat
should  Debian
must   Apache
must  Apple OSX 
must  Oracle

  
Non-CNA Vendor Advisories
?  Solaris  (Isn't Solaris now part of Oracle, a CNA?)
should  Suse 
ignore  Mandriva
should  HP-UX
ignore  SCO
ignore  AIX
must  Cisco IOS
should  Free BSD
should  Open BSD
ignore  Net BSD
should  Gentoo (Linux)
should  Ubuntu (Linux)



Mailing Lists & VDBs
must  Bugtraq
-  Vuln-Watch
-  VulnDev
ignore  Full Disclosure (see below)
-  Security Focus
-  Security Tracker
should  OSVDB
must  ISS X-Force
should  FRSIRT
should  Secunia
-  Packet Storm
-  SecuriTeam
-  SANS Mailing List (Qualys)
-  Neohapsis (Security Threat Watch)

Full disclosure list: So why am I advocating for the CVE team to
ignore full disclosure?  It's not because I think the list is low
value, but because I expect that other groups are reading it,
processing it, and doing noise reduction.

I'll advocate as a should for three additional sources:

should: metasploit
should: Snort
should: Contagiodump.blogspot.com "Overview of exploit packs"

My logic for all three is that the attacks contained are likely to be
used (metasploit), things that Snort contributors think they should be
seeing (and thus which hit the initial CVE use case) and the exploit
pack data because those attacks are seen in the wild, and in my
current professional use of CVE, are the ones which I spend the most
time with.

Adam