[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Sources: Full and Partial Coverage

Harold Booth wrote:
>Dave has stated that this discussion is about what the scope for CVE should
>be. As I review the discussion it seems the focus has been predominately on
>what sources should be covered. I think the focus of the discussion should
>be on what products should be covered. 

I think we are very close in our thinking and would suggest this is a both/and situation, not an either/or one.

I will work with the CVE team to produce a list of "must-have" products based on our recent EB discussions to supplement and help focus the discussion on sources.   It will be a week or two before I can get a draft of that out.


A list of "must-have" products won't eliminate the need for us, as a Board, to come to agreement on the question of sources.  Too many products require more than one source to adequately track.  And we clearly need to track some sources because they alert us to critical vulnerabilities that occur in products that won't make a "must-have" product list.

Damir Rajnovic wrote:
>... what is the goal we are trying to achieve by putting someone
>into "fully covered" or "partially covered" basket? Are we trying to cover
>most important products? Most used products? Most well known stuff? Sources that
>we happen to know? 

Most important to your organization and your customers/constituents.

The decision about which sources of vulnerability information to track and which ones not to track is an Editorial question of judgment.  We are looking for diverse perspective to be aired and hoping we can forge consensus out of that.  

Harold suggested:
>In keeping with the focus on products I would like to propose that the
>scope for CVE be something along the following lines (I don't intend for
>this list to be comprehensive, just illustrative of what I am proposing):
>Cover the top X Operating Systems
>Cover the top X(2) Desktop Applications
>Cover the top X(3) Mobile Applications
>Cover the top X(4) Networking Devices
>Cover the top X(5) Printers
>Cover the top X(6) Web Applications

We envision the lists of products and sources to evolve for a while.  If the end result is something as cleanly and succinctly articulated as what you suggest, that would be great.

First step though is that we come to agreement on the first versions of the lists.

David Mann | Principal Infosec Scientist | The MITRE Corporation
e-mail:damann@mitre.org | cell:781.424.6003

Page Last Updated or Reviewed: November 06, 2012