[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Sources: Full and Partial Coverage


No, not really. By definition CVE is the best effort project. It is so
because we rely on others (i.e., vendors, researches) to provide the information.
Until we have vendors comitted assigning CVE themselves that will continue
to be so.

Estimating how many vulnerabilities are not covered can also be questioned.
Some vendors may quietly fix things and never admitting that fact. Would
you count that as lack of coverage? I would _if_ I manage to establish that
this really happened. What are other ways that vulnerability may 'escape'?

The bottom line is that I am a pragmatist and will take what there is available
to get the job done. If we cannot reliably estimate coverage I would still
use CVE.


On Fri, May 18, 2012 at 12:51:56PM -0500, security curmudgeon wrote:
> On Fri, 18 May 2012, Damir Rajnovic wrote:
> : Hear, hear! Defining the goal in the scope of products is much better 
> : than sources and I am saying this as a consumer of CVEs. I have a piece 
> : of SW and I would like to know what is going with it. If the currently 
> : used sources do not cover the product 100% then the workaround can be to 
> : publicly say "we cover product X to an estimate 80% (or whatever)". That 
> : way CVE consumers are told of the situation.
> Does your answer change if the percentage cannot be answered with any 
> certainty at all?

Damir Rajnovic <psirt@cisco.com>, PSIRT Incident Manager, Cisco Systems
<http://www.cisco.com/go/psirt>      Telephone: +44 7715 546 033
200 Longwater Avenue, Green Park, Reading, Berkshire RG2 6GB, GB
There are no insolvable problems. 
The question is can you accept the solution? 

Incident Response and Product Security

- - - -
Cisco.com - http://www.cisco.com/global/UK

This e-mail may contain confidential and privileged material for the sole 
use of the intended recipient. Any review, use, distribution or disclosure by 
others is strictly prohibited. If you are not the intended recipient (or 
authorized to receive for the recipient), please contact the sender by reply 
e-mail and delete all copies of this message.

Cisco Systems Limited (Company Number: 02558939), is registered in England 
and Wales with its registered office at 1 Callaghan Square, Cardiff, 
South Glamorgan CF10 5BT

For corporate legal information go to:

Page Last Updated or Reviewed: November 06, 2012