[
Date Prev][
Date Next][
Thread Prev][
Thread Next][
Date Index][
Thread Index]
Re: Updating the Products and Sources list.
So which of these products / vendors have associated CNAs that should already be covered and are outside of MITRE’s direct assignment responsibility? Could the list be enriched with that information?
If we have CNAs for specific areas/items then we need to identify them. I have been under the impression the products / sources lists were for MITRE’s use directly.
---
Kent Landfield
+1.817.637.8026
From: <owner-cve-editorial-board-list@lists.mitre.org<mailto:owner-cve-editorial-board-list@lists.mitre.org>> on behalf of "Evans, Jonathan L." <jevans@mitre.org<mailto:jevans@mitre.org>>
Date: Thursday, January 7, 2016 at 2:00 PM
To: cve-editorial-board-list <cve-editorial-board-list@lists.mitre.org<mailto:cve-editorial-board-list@lists.mitre.org>>
Subject: Updating the Products and Sources list.
All,
Several years have passed since the creation of the Products and Sources list (http://cve.mitre.org/data/board/archives/2012-09/msg00000.html), which MITRE uses to prioritize CVE coverage. Since that time, products have changed names, the importance of products have changed, sources have come and gone, etc. It is well past time for an update. MITRE is seeking the Editorial Board’s guidance on what the updated list should contain. We have included a new proposed list below to kick off the discussion.
When we went through this process in 2012, MITRE was looking for advice on prioritization of CVE processing, so we focused on the sources we use to create the CVEs. This time, we want help with prioritizing both reservation request processing and CVE processing. Since we rarely know the source the requester will use at the time of reservation but we often, though not always, know the product, our proposed updates consist largely of new products. The sources section still needs updating but we think focusing on products will provide the largest impact for the effort.
Along with the expanded product list, we included a more granular prioritization system. On the current list, the priorities are "Must Have" and everything else. We believe there are products that fall between these priorities, and we feel it would help MITRE and the community at large if we make our prioritization explicit. We have broken down the new list using the following priority tiers:
Tier 1: Must Cover - This tier is the same as the current "Must Have" category. Products in this class should be widely used and likely to be targeted by attackers.
Tier 2: Should Cover - Products in this tier should be covered, but full coverage is not required. Products in this tier should have wide distribution.
Tier 3: Can Cover - These products are nice to have. Products in this list have a more limited distribution or have some other mitigating factor.
Tier 4: May Not Cover - This tier contains products that are not named on the list. These products are given the lowest priority.
Tier 5: Must Not Cover - Products that should not be assigned a CVE are included in this tier. We are not proposing any additions to this tier other than site-specific products, which have been long established as outside the scope of CVE.
Please note that packaging approaches in Linux distributions still present challenges for prioritization. The definition of coverage for Linux vendors that the Editorial Board previously agreed upon was to publish CVEs for every vulnerability in every package the vendor supports. This means that by covering Debian, we must also cover the vulnerabilities in products like 0ad, a real-time strategy game. We don't think that such products should be given the same kind of attention as products like tar or curl. However, the sheer number of packages Linux vendors support (e.g., according to Wikipedia, Debian has 56,864 packages) make prioritizing them individually prohibitive, and we don't think it is worth the Board's time. We don't have a good way of prioritizing coverage of Linux packages, so we greatly encourage any suggestions from those who do.
As I said earlier in this email, everything mentioned here is simply to start the conversation. MITRE relies on the Board's guidance, and we fully expect there to be many revisions to our proposal.
-
Jonathan Evans
CVE Content Technical Lead
The MITRE Corporation
------------------------
TIER 1 - MUST COVER
Adobe
Alcatel-Lucent
Apache Software Foundation: Apache HTTP Server
Apple
CA Technologies
Check Point: Security Gateways product line
Cisco
Citrix
EMC
F5
Fortinet: FortiGate product line
F-Secure
Google: Google Chrome
Hewlett Packard Enterprise
HP Inc.
IBM
Intel: McAfee
Internet Systems Consortium (ISC)
Juniper
kernel.org: Linux kernel
Microsoft
MIT Kerberos
Mozilla
MySQL
OpenLDAP
OpenSSH
OpenSSL
Oracle
PHP
Pulse Secure (formerly Juniper Junos)
SAP
Sendmail
Sophos
Symantec
VMware
WebKit
WordPress
Xen
TIER 2 - SHOULD COVER
A10 Networks
Adtran
AMD
Android (associated with Google or Open Handset Alliance)
Arista Networks
Aruba Networks
Atlassian
Attachmate: Novell
Avast
Avaya
Barracuda Networks
Bitdefender
Blue Coat
Dell: Desktop/Notebook product lines
Dell: SonicWALL Network Security product line
Drupal
ESET
Fortinet
Fujitsu: Desktop/Notebook product lines
Good for Enterprise
Grails
Groovy
Intel
Joomla!
Kaspersky Lab
Lenovo: general-purpose computers, software for general-purpose
operating systems, mobile devices, enterprise storage and networking
products
LibreOffice
LibreSSL
Nvidia
OpenStack
Opera
Palo Alto Networks
Panda Security
Perl
Pivotal
Python
RealNetworks
RIM/BlackBerry
Ruby
Samba
Splunk
Tenable Network Security
Trend Micro
TYPO3
Veritas Software
WatchGuard
Webroot
Websense
TIER 3 - CAN COVER
Agilent
AirWatch
ARCserve
b2evolution
BMC
Borland
Brocade Communications Systems
certificate-transparency
Cloudera
CMS Made Simple
CommuniGate Pro
Corel
CoreMedia CMS
Dart
Dell: general-purpose computers and tablets, software for
general-purpose operating systems, printers, enterprise storage and
networking products
django CMS
docSTAR eclipse
DokuWiki
Dotclear
DotCMS
DotNetNuke
Duo Security
Ektron CMS
Exponent CMS
FirstSpirit
Foswiki
Foxit
FreeSWITCH
Geeklog
Hitachi Information Technology products
HTC
Huawei
iDirect
ikiwiki
ImpressPages
Invision Power Suite
Ipswitch
knockoutjs.com Knockout
LG: mobile devices
Liferay
LiteSpeed Web Server
LogMeIn
Magento
MobileIron
MODX
MoinMoin
Motorola Mobility: mobile devices
Movable Type
Mura CMS
MyBB
NaviServer
NetApp
NetBSD
Nokia
Novius OS
OpenBSD
OpenText FirstClass
OpenXava
Open-Xchange
PhpWiki
PivotX
Play Framework
Plone
Pluck
PmWiki
polymer-project.org Polymer
PowerMTA
Resin
Samsung: mobile devices
SAS
Scalix
SDL Tridion
Serendipity
SilverStripe
Sitecore Experience Platform
SolarWinds
Tibco
Tiki
TrueCrypt
TWiki
Ubiquiti Networks
Umbraco
vBulletin
VeraCrypt
WinZip
Workshare
XOOPS
Zikula
Zimbra Collaboration Suite
TIER 4 - MAY NOT COVER
Any product not specified in any other tier.
TIER 5 - MUST NOT Cover
Site-specific products, e.g. google.com
Unspecified - The vendors in this section support products that have a varying degrees of importance.
Apache Software Foundation: All
Attachmate: SUSE
CentOS
Debian
Fedora
FreeBSD
Gentoo (Linux)
openSUSE
Red Hat
Ubuntu