[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Sources: Full and Partial Coverage (CNA increase)

On 2012-06-25 14:59 , security curmudgeon wrote:

> : What should CVE cover?  CVE should cover vulnerabilities.  I'd like CVE 
> : to cover, if not all, then the most important vulnerabilities.  "Most 
> : important" gets a bit tricky, but one aspect should be the scope of the 
> : vulnerability -- the number of people affected, possibly within a 
> : constituency.  A vulnerability affects one or more products, and we care 
> : about products because they are used by or affect (service) many (or 
> : few) people.
> You are entirely right. And, you are using sketchy wording =)
> : phpGolf?  Affects few, don't include. (*)
> : 
> : Microsoft XML Core Services?  Affects many, include.
> Siemens SIMATIC? Affects very few customers, don't include.
> Siemens SIMATIC? Affects hundreds of millions of THEIR customers, include.
> There are dozens of software packages that many haven't heard of, even in 
> the VDB world. Yet, they are embedded in hundreds or thousands of other 
> packages. Jetty, SPAW, and FckEditor just to name a few. There are more 
> that I can't think of right off, but I routinely see in changelogs of 
> bigger / more visible products.

It's not sketchy, it's precise :)  "...used by or affect..." is meant to
include SIMATIC, and Facebok, and others.  I mean that the product could
also affect many, not only that the many each have a copy of the product.

> : Other "importance" factors are the usual things like impact, ease of 
> : exploitation, related incident activity, ease of access, etc.  
> : CVSS-like stuff.  I don't necessarily recommend this, but CVE should 
> : include all vulnerabilities with a CVSS environmental score of X or 
> : higher (with environment == the internet).
> I don't think that is a valid criteria really, as XSS / LFI / RFI / SQLi 
> are all 5+. I use 5 as the example because of PCI; any of those will fail 
> a PCI certification test. I'd love to see someone do some quick stats on 
> the number of vulns broken out by CVSS score, but I'd wager 75%+ are CVSS 
> 4+ (I think the actual PCI certification cutoff now?).

I said I didn't necessarily recommend it (CVSS), but assuming some
severity metric or definition, I'd like CVE to come up with a level of
importance/criteria that results in the vulnerability getting into CVE.

Also, and off-topic, sites with those web app vuls should probably fail PCI.

 - Art

Page Last Updated or Reviewed: November 06, 2012