[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Sources: Full and Partial Coverage

On Thu, 17 May 2012, Booth, Harold wrote:

: > However, if you say "CVE, monitor ProductX", and due to an incomplete list of sources
: > being monitored, they end up issuing an ID for only 70% of the vulnerabilities disclosed
: > in ProductX, has that met your need?
: No, it has not. But then CVE and everyone else will know that, since the 
: goal has been defined in terms of "monitor ProductX". Changes to process 
: and tools will be made to get the number closer to 100%. If the goal is 
: defined as "monitor sources X, Y and Z" which result in an ID for 70% of 
: the vulnerabilities disclosed for ProductX there is likely no explicit 
: step in the process to improve coverage of ProductX. "What gets 
: measured, gets done," and I believe measuring in terms of products 
: instead of sources will lead to more desirable results.

That is a good point, but not sure if either of us can justify our 
positions short of "CVE would have to try it" =)

In my mind, if you monitor the right sources, you approach 100% for more 
products in a repeatable fashion, than if you try to go off a list of 
products first.

Page Last Updated or Reviewed: November 06, 2012