[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Sources: Full and Partial Coverage



That's a fairly comprehensive list. 

My head researcher felt that these were absent and should be considered given the infrastructure roles they play and I agree.  

Fully Cover
1) Juniper - JTAC Technical Bulletins
2) Citrix / Xen
3) ASF: Apache Tomcat
4) Samba Security Updates and Information
5) PHP
7) FoxIt Support Center - Security Advisories
8) Symantec Security (Not BIDs but actual Symantec Advisories)
9) McAfee Security


Partially Cover
1) http://www.exploit-db.com/ <-- if they hit this repository exploit code
is available to the public, and it warrants a CVE.


They also scratched their heads with RealPlayer being on the list but that might be something Federal market specific. 

--tk

--
Tim "TK" Keanini, CTO    ...    nCircle Inc.   ...   mbl (415) 328-2722  ...


-----Original Message-----
From: owner-cve-editorial-board-list@LISTS.MITRE.ORG [mailto:owner-cve-editorial-board-list@LISTS.MITRE.ORG] On Behalf Of Mann, Dave
Sent: Friday, May 04, 2012 4:59 PM
To: cve-editorial-board-list
Subject: Sources: Full and Partial Coverage

All,

We seek your input on the following sets of sources of vulnerability information.  All of the sources in the following list have been identified in our prior discussions as "must-haves".

We are breaking this list into 3 groups:
+ Sources that should be fully covered
+ Sources that should be monitored but selectively covered Sources that 
+ present big challenges meriting further discussion

For the purpose of our current discussions, we would like your feedback, reactions and input on these first 2 groups.  The primary question is, should any in the first group be demoted to the second and, conversely, should any from the second group be promoted to the first.

As you consider these groups, understand that we are discussing prioritization, not feasibility.  It may be the case that CVE's current practices will need to be changed to provide the stated coverage goals for some of these sources.  We'll address that issue in later email discussions.

We'll give some indications as to why we think the second group should be only partially covered below.


SHOULD BE FULLY COVERED
-----------------------
US-CERT: Technical Cyber Security Alerts RealNetworks (real.com) Apple EMC, as published through Bugtraq VMware
Google: Google Chrome (includes WebKit)
IBM: issues in IBM ISS X-Force Database
Internet Systems Consortium (ISC)
MIT Kerberos
Adobe
Apache Software Foundation: Apache HTTP Server
Cisco: Security Advisories/Responses
HP: Security Bulletins                         
Microsoft: Security Bulletins/Advisories Mozilla
Oracle                                      


SHOULD BE MONITORED BUT SELECTIVELY COVERED
-------------------------------------------
US-CERT: Vulnerability Notes [1]
Symantec: SecurityFocus BugTraq (securityfocus.com/archive/1) [1]
Symantec: SecurityFocus Bugtraq ID (securityfocus.com/bid) [1]   
Full Disclosure [1]
OSVDB [1]                                       
SecurityTracker [1]                             
FreeBSD [2]                                    
NetBSD [2]                                  
OpenBSD [2]                                    
Mandriva [2]                                   
oss-security [3]
IBM: issues not in IBM ISS X-Force Database [4]


PRESENT BIG CHALLENGES THAT MERIT DISCUSSION AT A LATER TIME
------------------------------------------------------------
Debian
Red Hat                                      
Attachmate: SUSE                                        
Ubuntu (Linux)                              


[1] - These sources tend to contain a mixture a both high priority issues and lower priority issues.  It is reasonable to not assign CVE ids for vulnerabilities affecting software with limited distribution and impact. 

[2] - We believe that these systems are low enough in terms of their market share and distribution that it is reasonable to only assign CVE ids for more critical vulnerabilities from these sources.

[3] - For the most part, we believe that issues disclosed on this are already disclosed in other sources that we actively monitor.

[4] - At present, IBM has no centralized distribution source for vulnerability information related to many of its products.  Some IBM products use the ISS X-Force database as their disclosure mechanism, which is listed as fully covered source (for IBM issues only).  

-Dave
==================================================================
David Mann | Principal Infosec Scientist | The MITRE Corporation
------------------------------------------------------------------
e-mail:damann@mitre.org | cell:781.424.6003 ==================================================================



Page Last Updated or Reviewed: November 06, 2012