[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Update Disclosure Sources List - Please Vote!



A few more info sources to consider ...

http://www.exploit-db.com/
Notes: effectively replaced milw0rm, good source for exploit code

http://isc.sans.org/
Notes: decent source for significant new security events, patches, zero day

http://www.webappsec.org/lists/websecurity/archive/
Notes: mostly noise, but rare vuln disclosures do occur

http://www.linuxsecurity.com/
Notes: Central resource for major linux vendors, but would be better to monitor vendor directly

http://www.immunityinc.com/ceu-index.shtml
Notes: Regularly post fresh or zero day exploit info, but must have subscription

http://aluigi.altervista.org/
Notes: very prolific vuln researcher, worth monitoring directly due to volume

http://www.coresecurity.com/content/core-impact-pro-security-updates
Notes: Occasionally post fresh or zero day exploit info, but must have subscription


Thanks and regards,
Ken Williams, Director
CA Technologies Product Vulnerability Response Team
CA Technologies Business Unit Operations
wilja22@ca.com - 816-914-4225


-----Original Message-----
From: owner-cve-editorial-board-list@lists.mitre.org [mailto:owner-cve-editorial-board-list@lists.mitre.org] On Behalf Of Mann, Dave
Sent: Wednesday, October 05, 2011 11:33 AM
To: cve-editorial-board-list
Subject: Update Disclosure Sources List - Please Vote!

Folks,

First, thanks to all who've responded to the request for votes on must-haves and nice to haves regarding vulnerability disclosure sources.

If you haven't weighed in yet, please do so.  Having us all (the Editorial Board) in agreement on must-haves vs nice-to-haves will be important before we can talk about harder issues like response time and scalability.

I've compiled the votes to date and have presented them in plain text below (because, yes, I am that old).

BIG NOTE:  I was expecting you all to add a *LOT* more different information sources.  As Art correctly noted, this list of sources is dated.  In particular, when it comes to vendor issued disclosures, it really reflects the traditional bias towards OS level vulnerabilities that speaks of our older history.

I'm frankly surprised that you all aren't suggesting more non-OS vendors that must be monitored.    

I would ask that you all think hard about whether or not non-OS vendors should be added, or is it sufficient to monitor non-vendor sources for this class?


-Dave
==================================================================
David Mann | Principal Infosec Scientist | The MITRE Corporation
------------------------------------------------------------------
e-mail:damann@mitre.org | cell:781.424.6003 ==================================================================


VULNERABILITY INFORMATION SOURCES             [ M,  N,  I]
  M = must have
  N = nice to have
  I = ignore


Government Information Sources
  US-CERT Advisories (aka CERT-CC Advisories) [ 5,  0,  0] 
  US-CERT Vulnerability Notes (CERT-CC)       [ 5,  0,  0]
  US-CERT Bulletins (aka Cyber-Notes)         [ 4,  1,  0]
  DoD IAVAs                                   [ 3,  1,  0]
  NISCC                                       [ 1,  3,  0]
  AUS-CERT                                    [ 2,  2,  1]
  CIAC (name has changed)                     [ 1,  2,  2]


CNA Published Information
  CMU/CERT-CC                                 [ 5,  0,  0]
  Microsoft                                   [ 5,  0,  0]
  RedHat                                      [ 5,  0,  0]
  Debian                                      [ 2,  3,  0]
  Apache                                      [ 5,  0,  0]
  Apple OSX                                   [ 5,  0,  0]
  Oracle                                      [ 5,  0,  0]

  
Non-CNA Vendor Advisories
  Solaris                                     [ 4,  0,  0]
  Suse                                        [ 4,  1,  0]
  Mandriva                                    [ 4,  0,  1]
  HP-UX                                       [ 4,  1,  0]
  SCO                                         [ 2,  0,  3]
  AIX                                         [ 4,  0,  1]
  Cisco IOS                                   [ 5,  0,  0]
  Free BSD                                    [ 4,  1,  0]
  Open BSD                                    [ 4,  1,  0]
  Net BSD                                     [ 4,  0,  1]
  Gentoo (Linux)                              [ 4,  1,  0]
  Ubuntu (Linux)                              [ 4,  1,  0]



Mailing Lists & VDBs
  Bugtraq                                     [ 5,  0,  0]
  Vuln-Watch                                  [ 0,  0,  4]
  VulnDev                                     [ 0,  0,  4]
  Full Disclosure                             [ 2,  3,  1]
  Security Focus                              [ 2,  0,  1]
  Security Tracker                            [ 2,  0,  1]
  OSVDB                                       [ 2,  2,  1]
  ISS X-Force                                 [ 1,  2,  1]
  FRSIRT  (VUPEN)                             [ 1,  3,  1]
  Secunia                                     [ 1,  2,  1]
  Packet Storm                                [ 1,  1,  2]
  SecuriTeam                                  [ 0,  2,  1]
  SANS Mailing List (Qualys)                  [ 0,  1,  2]
  Neohapsis (Security Threat Watch)           [ 0,  0,  3]
  Metasploit                                  [ 0,  1,  0]
  Snort                                       [ 0,  1,  0]
  Contagiodump.blogspot.com                   [ 0,  1,  0]
  Oss-security                                [ 1,  0,  0]



Page Last Updated or Reviewed: November 06, 2012