[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: CVE Information Sources & Scope

> Government Information Sources

>   US-CERT Advisories (aka CERT-CC Advisories)
Must have.  Although largely republication at the moment, we expect this
to change, and volume is fairly low.

>   US-CERT Vulnerability Notes (CERT-CC)
Must have.

>   US-CERT Bulletins (aka Cyber-Notes)
These are collections of already public reports, possibly generated from
CVE even?

>   DoD IAVAs 
Doubt usefulness.  Republication well after CVE has been assigned?

Good to watch, new vul reports rarely come out.

Almost exclusively republication.  AusCERT even provides a list of what
products/vendors they monitor (or did).

>   CIAC
Name changed, believe this is entirely republication.

> CNA Published Information
Must have, but included in US-CERT vul notes and Alerts above.

>   Microsoft
>   RedHat
>   Debian
>   Apache
>   Apple OSX
>   Oracle
Must have.

> Non-CNA Vendor Advisories
>   Solaris 
>   Suse 
>   Mandriva
>   HP-UX
>   SCO
>   AIX
>   Cisco IOS
>   Free BSD
>   Open BSD
>   Net BSD
>   Gentoo (Linux)
>   Ubuntu (Linux)
Must have, although as usual lots of duplication across linux/UNIX distros.

> Mailing Lists & VDBs

It's been a while since I watched any of these closely.

>   Bugtraq
Must have.

>   Vuln-Watch
>   VulnDev
Not sure what these are like anymore.  Seemed to be low signal.

>   Full Disclosure
Lots of noise, but new reports come out.  Must have.

>   Security Focus
Bugtraq?  Or other lists?

>   Security Tracker
Not sure of current quality/signal.

Must have, because they're trying to be reference complete.

>   ISS X-Force

Changed name again -- VUPEN?  If they provide original reports, then
must have.

>   Secunia
Good to have.

>   Packet Storm
No longer familiar, seems dated.

>   SecuriTeam
No longer familiar.

>   SANS Mailing List (Qualys)
Don't know about new vul reports here.

>   Neohapsis (Security Threat Watch)
Only know about their archive service.

IMO, any and every source of "OC" (original content, original vul
reports) should be monitored, starting with major vendors, CNAs, and
sources with high quality signal (even if they are also noisy).

 - Art

Page Last Updated or Reviewed: November 06, 2012