[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Sources: Full and Partial Coverage

A few comments:

1) ISS X-Force database - I have not found this to be particularly useful for general vuln discovery/research. I guess it is a good source for IBM-related vulns.
2) Secunia has been very useful, and they have pretty thorough and timely coverage.
3) Mandriva?? CentOS is a more important distro imo.
4) Red Hat, Debian, Ubuntu definitely neeed to be covered

Some more techs to consider for Full/Selective coverage:
5) Many other ASF projects, such as: Axis, Axis2, Tomcat, Xerces-C/J, Struts, various Commons projects, etc
6) Crypto algorithms/standards:  Rijndael, DES, MD5, AES, 3DES, SHA, etc *
7) RSA products **
8) SAP products - especially BO, BI, NetWeaver **
9) AV software - all popular brands. Published research is often incomplete and fails to test/list all potentially affected vendors. Detection evasion issues are debateable for CVE coverage. *
10) MySQL - some issues appear to be published earlier on MySQL site than on Oracle Alerts site. No public correlation by vendor for issues published on mysql.com vs oracle.com
11) SCADA **

* Could probably be covered through existing coverage of gen sec mailing lists and vuln db websites

** Any coverage very difficult due to vendor support sites being hidden behind customer login, and also due to no public disclosure by vendor. Would need assistance from vendor.

Thanks and regards,
Ken Williams, Director
CA Technologies Product Vulnerability Response Team
CA Technologies Business Unit Operations
wilja22@ca.com - 816-914-4225

-----Original Message-----
From: owner-cve-editorial-board-list@lists.mitre.org [mailto:owner-cve-editorial-board-list@lists.mitre.org] On Behalf Of Mann, Dave
Sent: Friday, May 04, 2012 4:59 PM
To: cve-editorial-board-list
Subject: Sources: Full and Partial Coverage


We seek your input on the following sets of sources of vulnerability information.  All of the sources in the following list have been identified in our prior discussions as "must-haves".

We are breaking this list into 3 groups:
+ Sources that should be fully covered
+ Sources that should be monitored but selectively covered Sources that 
+ present big challenges meriting further discussion

For the purpose of our current discussions, we would like your feedback, reactions and input on these first 2 groups.  The primary question is, should any in the first group be demoted to the second and, conversely, should any from the second group be promoted to the first.

As you consider these groups, understand that we are discussing prioritization, not feasibility.  It may be the case that CVE's current practices will need to be changed to provide the stated coverage goals for some of these sources.  We'll address that issue in later email discussions.

We'll give some indications as to why we think the second group should be only partially covered below.

US-CERT: Technical Cyber Security Alerts RealNetworks (real.com) Apple EMC, as published through Bugtraq VMware
Google: Google Chrome (includes WebKit)
IBM: issues in IBM ISS X-Force Database
Internet Systems Consortium (ISC)
MIT Kerberos
Apache Software Foundation: Apache HTTP Server
Cisco: Security Advisories/Responses
HP: Security Bulletins                         
Microsoft: Security Bulletins/Advisories Mozilla

US-CERT: Vulnerability Notes [1]
Symantec: SecurityFocus BugTraq (securityfocus.com/archive/1) [1]
Symantec: SecurityFocus Bugtraq ID (securityfocus.com/bid) [1]   
Full Disclosure [1]
OSVDB [1]                                       
SecurityTracker [1]                             
FreeBSD [2]                                    
NetBSD [2]                                  
OpenBSD [2]                                    
Mandriva [2]                                   
oss-security [3]
IBM: issues not in IBM ISS X-Force Database [4]

Red Hat                                      
Attachmate: SUSE                                        
Ubuntu (Linux)                              

[1] - These sources tend to contain a mixture a both high priority issues and lower priority issues.  It is reasonable to not assign CVE ids for vulnerabilities affecting software with limited distribution and impact. 

[2] - We believe that these systems are low enough in terms of their market share and distribution that it is reasonable to only assign CVE ids for more critical vulnerabilities from these sources.

[3] - For the most part, we believe that issues disclosed on this are already disclosed in other sources that we actively monitor.

[4] - At present, IBM has no centralized distribution source for vulnerability information related to many of its products.  Some IBM products use the ISS X-Force database as their disclosure mechanism, which is listed as fully covered source (for IBM issues only).  

David Mann | Principal Infosec Scientist | The MITRE Corporation
e-mail:damann@mitre.org | cell:781.424.6003 ==================================================================

Page Last Updated or Reviewed: November 06, 2012