[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Sources: Full and Partial Coverage (CNA increase)
- To: security curmudgeon <jericho@attrition.org>
- Subject: Re: Sources: Full and Partial Coverage (CNA increase)
- From: Art Manion <amanion@cert.org>
- Date: Tue, 26 Jun 2012 02:17:20 -0400
- CC: cve-editorial-board-list <cve-editorial-board-list@LISTS.MITRE.ORG>
- Delivery-Date: Tue Jun 26 02:20:47 2012
- In-Reply-To: <alpine.LNX.2.00.1206251348170.16752@forced.attrition.org>
- List-Help: <mailto:LISTSERV@LISTS.MITRE.ORG?body=INFO%20CVE-EDITORIAL-BOARD-LIST>
- List-Owner: <mailto:CVE-EDITORIAL-BOARD-LIST-request@LISTS.MITRE.ORG>
- List-Subscribe: <mailto:CVE-EDITORIAL-BOARD-LIST-subscribe-request@LISTS.MITRE.ORG>
- List-Unsubscribe: <mailto:CVE-EDITORIAL-BOARD-LIST-unsubscribe-request@LISTS.MITRE.ORG>
- OpenPGP: id=36C268A3
- References: <4FE8B14C.30708@cert.org> <alpine.LNX.2.00.1206251348170.16752@forced.attrition.org>
- Sender: <owner-cve-editorial-board-list@LISTS.MITRE.ORG>
- User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:12.0) Gecko/20120428 Thunderbird/12.0.1
On 2012-06-25 14:59 , security curmudgeon wrote: > : What should CVE cover? CVE should cover vulnerabilities. I'd like CVE > : to cover, if not all, then the most important vulnerabilities. "Most > : important" gets a bit tricky, but one aspect should be the scope of the > : vulnerability -- the number of people affected, possibly within a > : constituency. A vulnerability affects one or more products, and we care > : about products because they are used by or affect (service) many (or > : few) people. > > You are entirely right. And, you are using sketchy wording =) > > : phpGolf? Affects few, don't include. (*) > : > : Microsoft XML Core Services? Affects many, include. > > Siemens SIMATIC? Affects very few customers, don't include. > > Siemens SIMATIC? Affects hundreds of millions of THEIR customers, include. > > There are dozens of software packages that many haven't heard of, even in > the VDB world. Yet, they are embedded in hundreds or thousands of other > packages. Jetty, SPAW, and FckEditor just to name a few. There are more > that I can't think of right off, but I routinely see in changelogs of > bigger / more visible products. It's not sketchy, it's precise :) "...used by or affect..." is meant to include SIMATIC, and Facebok, and others. I mean that the product could also affect many, not only that the many each have a copy of the product. > : Other "importance" factors are the usual things like impact, ease of > : exploitation, related incident activity, ease of access, etc. > : CVSS-like stuff. I don't necessarily recommend this, but CVE should > : include all vulnerabilities with a CVSS environmental score of X or > : higher (with environment == the internet). > > I don't think that is a valid criteria really, as XSS / LFI / RFI / SQLi > are all 5+. I use 5 as the example because of PCI; any of those will fail > a PCI certification test. I'd love to see someone do some quick stats on > the number of vulns broken out by CVSS score, but I'd wager 75%+ are CVSS > 4+ (I think the actual PCI certification cutoff now?). I said I didn't necessarily recommend it (CVSS), but assuming some severity metric or definition, I'd like CVE to come up with a level of importance/criteria that results in the vulnerability getting into CVE. Also, and off-topic, sites with those web app vuls should probably fail PCI. - Art
- References:
- Re: Sources: Full and Partial Coverage (CNA increase)
- From: Art Manion <amanion@cert.org>
- Re: Sources: Full and Partial Coverage (CNA increase)
- From: security curmudgeon <jericho@attrition.org>
- Re: Sources: Full and Partial Coverage (CNA increase)
- Prev by Date: Re: Board meeting? Blackhat?
- Next by Date: RE: Sources: Full and Partial Coverage (CNA increase)
- Prev by thread: Re: Sources: Full and Partial Coverage (CNA increase)
- Next by thread: Board meeting? Blackhat?
- Index(es):
