[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Sources: Full and Partial Coverage

Hi,

I would like to repeat my question on which I have not received any responses
last time around - what is the goal we are trying to achieve by putting someone
into "fully covered" or "partially covered" basket? Are we trying to cover most 
important products? Most used products? Most well known stuff? Sources that we 
happen to know? Something else?

If we are indeed trying to cover the most important products (according to some
unspecifeid and fuzzy criteria) then we are missing things like OpenSSL and Citrix.
Additionally RedHat should be promoted to fully covered as it is used in many
products.

Thanks,

Gaus


On Thu, May 10, 2012 at 07:50:24PM +0000, Mann, Dave wrote:
> Folks,
> 
> Three comments...
> 
> 1) Our language has moved from "must have/nice to have" to "fully covered/partially covered".
> 
> 2) In our current discussion, we are only considering sources that you all identified as "must haves" in our prior discussion.   The list that I posted last Friday broke your previous "must haves" into 2 sub-groups:  sources that the CVE team agrees should be "fully covered" and sources that the CVE team believes should be demoted to "partially covered status".   
> 
> THE PRIMARY QUESTIONS WE'RE SEEKING GUIDANCE ON ARE:
> A) SHOULD ANY OF OUR SUGGESTED PARTIALLY COVERED SOURCES BE PROMOTED BACK TO FULLY COVERED STATUS?
> B) ARE THERE ANY OTHER SOURCES YOU BELIEVE SHOULD BE FULLY COVERED?
> 
> 3) As you consider these questions, please bear in mind that we have a very long list of sources previously designated as "nice to have".   We would ask that you hold your suggestions for other partially covered sources (aka nice to have) source for later when we consider the full list of partially covered sources (in addition to those we suggest demoting).
> 
> 
> 
> Here are the lists again, along with a list of sources that have been nominated as needing to be fully covered.  We would like more discussion on the fully covered sets.  Note, we may not be able to cover all of the sources being nominated as full coverage, so please consider and defend your nominations in that light.
> 
> 
> SHOULD BE FULLY COVERED
> -----------------------
> US-CERT: Technical Cyber Security Alerts
> RealNetworks (real.com)
> Apple
> EMC, as published through Bugtraq
> VMware
> Google: Google Chrome (includes WebKit)
> IBM: issues in IBM ISS X-Force Database
> Internet Systems Consortium (ISC)
> MIT Kerberos
> Adobe
> Apache Software Foundation: Apache HTTP Server
> Cisco: Security Advisories/Responses
> HP: Security Bulletins                         
> Microsoft: Security Bulletins/Advisories
> Mozilla
> Oracle                                      
> 
> 
> SHOULD BE MONITORED BUT SELECTIVELY COVERED (being demoted)
> -------------------------------------------
> US-CERT: Vulnerability Notes [1]
> Symantec: SecurityFocus BugTraq (securityfocus.com/archive/1) [1]
> Symantec: SecurityFocus Bugtraq ID (securityfocus.com/bid) [1]   
> Full Disclosure [1]
> OSVDB [1]                                       
> SecurityTracker [1]                             
> FreeBSD [2]                                    
> NetBSD [2]                                  
> OpenBSD [2]                                    
> Mandriva [2]                                   
> oss-security [3]
> IBM: issues not in IBM ISS X-Force Database [4]
> 
> 
> PRESENT BIG CHALLENGES THAT MERIT DISCUSSION AT A LATER TIME
> ------------------------------------------------------------
> Debian
> Red Hat                                      
> Attachmate: SUSE                                        
> Ubuntu (Linux)                              
> 
> 
> 
> Requests for Additional Fully-Covered Sources
> ----------------------------------------------
> Juniper - JTAC Technical Bulletins
> Citrix / Xen
> ASF: Apache Tomcat
> Samba Security Updates and Information
> PHP
> FoxIt Support Center - Security Advisories
> Symantec Security (Not BIDs but actual Symantec Advisories)
> McAfee Security
> Exploit Database (for entries containing exploit code)
> 
> -Dave
> ==================================================================
> David Mann | Principal Infosec Scientist | The MITRE Corporation
> ------------------------------------------------------------------
> e-mail:damann@mitre.org | cell:781.424.6003
> ==================================================================
> 

==============
Damir Rajnovic <psirt@cisco.com>, PSIRT Incident Manager, Cisco Systems
<http://www.cisco.com/go/psirt>      Telephone: +44 7715 546 033
200 Longwater Avenue, Green Park, Reading, Berkshire RG2 6GB, GB
==============
There are no insolvable problems. 
The question is can you accept the solution? 


Incident Response and Product Security
http://www.ciscopress.com/bookstore/product.asp?isbn=1587052644


- - - -
Cisco.com - http://www.cisco.com/global/UK

This e-mail may contain confidential and privileged material for the sole 
use of the intended recipient. Any review, use, distribution or disclosure by 
others is strictly prohibited. If you are not the intended recipient (or 
authorized to receive for the recipient), please contact the sender by reply 
e-mail and delete all copies of this message.

Cisco Systems Limited (Company Number: 02558939), is registered in England 
and Wales with its registered office at 1 Callaghan Square, Cardiff, 
South Glamorgan CF10 5BT

For corporate legal information go to:
http://www.cisco.com/web/about/doing_business/legal/cri/index.html
Page Last Updated or Reviewed: November 06, 2012