Re: CVE Information Sources & Scope

[Carsten Eiram <che@secunia.com>]

I already sent my ratings along with a lot of other feedback to Dave, but should share my scoring (see inline) with the board as well (Dave: Hindsight made me change a couple of the ratings + I added scores for the other suggested sources).

Generally, I believe that VDBs (at least the 2-3 major ones like Secunia, OSVDB, and SecurityFocus) are important resources to monitor as information there will be referenced a lot by other sources. Preferably all vulnerability reports covered by these VDBs should have CVEs assigned.

cheers,
/Carsten



> Government Information Sources
>   US-CERT Advisories (aka CERT-CC Advisories)
+ M

>   US-CERT Vulnerability Notes (CERT-CC)
+ M

>   US-CERT Bulletins (aka Cyber-Notes)
+ N


>   DoD IAVAs
+ I

>   NISCC
+ I

>   AUS-CERT
+ I

>   CIAC
+ I


> CNA Published Information
+ M (goes for all CNAs)

> Non-CNA Vendor Advisories
+ M (all major software vendors)
 
>   Suse
+ M

>   Mandriva
+ I (not that popular anymore)

>   HP-UX
+ M (HP in general)

>   SCO
+ I (not very active anymore)

>   AIX
+ M (IBM in general)

>   Cisco IOS
+ M (Cisco in general)

>   Free BSD
+ M

>   Open BSD
+ M

>   Net BSD
+ N

>   Gentoo (Linux)
+ I (not very active anymore)

>   Ubuntu (Linux)
+ N

> 
> 
> Mailing Lists & VDBs
>   Bugtraq
+ M

>   Vuln-Watch
+ I

>   VulnDev
+ I

>   Full Disclosure
+ N (from a CVE perspective the noise ratio is too high to consider it "must have" - most relevant info is also sent to bugtraq and if not then it will still be caught by the VDBs and can be spotted there).

>   Security Focus
+ M (I'm a bit between "must have" and "nice to have" since the publicly available info doesn't really provide anything not already available from Secunia and OSVDB; leaning towards "must have" as some still seem to find it useful).

>   Security Tracker
+ I

>   OSVDB
+ M (focuses a lot on covering "everything" including unstable software (not covered by Secunia) and old, historic issues that do not affect later version (partially covered by Secunia) - it's, therefore, a nice complement to Secunia).

>   ISS X-Force
+ N (primarily due to their coverage of IBM vulnerabilities)

>   FRSIRT/VUPEN
+ I (pretty much dead, random coverage, and provides no info not already available elsewhere (just links to various resources now))

>   Secunia
+ M (obviously! ;-) Our verification process daily results in extra details being added to advisories not available in the original vulnerability reports. Secunia is also a CNA (CVEs are assigned for internally discovered vulnerabilities and vulnerabilities coordinated on behalf of external researchers) and original source of a lot of vulnerability reports[1]).

[1]: http://secunia.com/community/research/

 
>   Packet Storm
+ N (most of it is available on exploit-db.com, which I personally find to be a better source)

> Exploit-DB.com
+ M

>   SecuriTeam
+ I

>   SANS Mailing List (Qualys)
+ I

>   Neohapsis (Security Threat Watch)
+ I

> Metasploit
+ I (great project but not that useful from a CVE perspective as it's seldom an original source)

> Snort
+ I

> Contagiodump.blogspot.com
+ N

> Oss-security
+ M


> Additions....
> APSA / APSB - Adobe
+ M

> ZDI
+ N (original source for a lot of reports, but information will also be available e.g. on monitored mailing lists)

> MSVR - Microsoft Vulnerability Research Advisories
+ N

> iDefense
+ N

> VMSA (Vmware Security Advisories)
+ M

> CNVD (China National Vulnerability Database)
+ N

> JVN
+ N



-- 

Med venlig hilsen / Kind regards


Carsten H. Eiram
Chief Security Specialist

Follow us on twitter
http://twitter.com/secunia
http://twitter.com/carsteneiram

Secunia
Mikado House
Rued Langgaards Vej 8
2300 Copenhagen S
Denmark

Phone   +45 7020 5144
Fax       +45 7020 5145