[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Updating the Products and Sources list.

Hi Mike,

Does that assignment responsibility also extend to Veritas Software as
well?  

Thanks.
---
Kent Landfield
+1.817.637.8026




On 1/8/16, 8:56 AM, "Mike Prosser" <mprosser@symantec.com> wrote:

>Symantec is CNA for all things Symantec but also work closely at times
>with CERT on assignments.  We get some submitters occasionally who have
>already gone VFR direct to MITRE for a CVE for their finding.  MITRE has
>always redirected them back to us as the keeper of the Symantec keys...
>
>-Mike Prosser
>Symantec Software Security Group
>
>-----Original Message-----
>From: owner-cve-editorial-board-list@lists.mitre.org
>[mailto:owner-cve-editorial-board-list@lists.mitre.org] On Behalf Of Andy
>Balinsky (balinsky)
>Sent: Thursday, January 07, 2016 3:57 PM
>To: Landfield, Kent B
>Cc: Evans, Jonathan L.; cve-editorial-board-list
>Subject: Re: Updating the Products and Sources list.
>
>Cisco is a CNA for all Cisco issues. When we occasionally get requests
>from an external party to assign one for a third party product, we send
>them to CERT.
>
>Andy
>
>> On Jan 7, 2016, at 3:37 PM, Landfield, Kent B
>><kent.b.landfield@intel.com> wrote:
>> 
>> So which of these products / vendors have associated CNAs that should
>>already be covered and are outside of MITRE's direct assignment
>>responsibility? Could the list be enriched with that information?
>> 
>> If we have CNAs for specific areas/items then we need to identify them.
>>I have been under the impression the products / sources lists were for
>>MITRE's use directly.
>> ---
>> Kent Landfield
>> +1.817.637.8026
>> 
>> From: 
>><owner-cve-editorial-board-list@lists.mitre.org<mailto:owner-cve-editoria
>>l-board-list@lists.mitre.org>> on behalf of "Evans, Jonathan L."
>><jevans@mitre.org<mailto:jevans@mitre.org>>
>> Date: Thursday, January 7, 2016 at 2:00 PM
>> To: cve-editorial-board-list
>><cve-editorial-board-list@lists.mitre.org<mailto:cve-editorial-board-list
>>@lists.mitre.org>>
>> Subject: Updating the Products and Sources list.
>> 
>> All,
>> 
>> Several years have passed since the creation of the Products and
>>Sources list 
>>(http://cve.mitre.org/data/board/archives/2012-09/msg00000.html), which
>>MITRE uses to prioritize CVE coverage. Since that time, products have
>>changed names, the importance of products have changed, sources have
>>come and gone, etc.  It is well past time for an update.  MITRE is
>>seeking the Editorial Board's guidance on what the updated list should
>>contain.  We have included a new proposed list below to kick off the
>>discussion.
>> 
>> When we went through this process in 2012, MITRE was looking for advice
>>on prioritization of CVE processing, so we focused on the sources we use
>>to create the CVEs.  This time, we want help with prioritizing both
>>reservation request processing and CVE processing.  Since we rarely know
>>the source the requester will use at the time of reservation but we
>>often, though not always, know the product, our proposed updates consist
>>largely of new products.  The sources section still needs updating but
>>we think focusing on products will provide the largest impact for the
>>effort.
>> 
>> Along with the expanded product list, we included a more granular
>>prioritization system.  On the current list, the priorities are "Must
>>Have" and everything else.  We believe there are products that fall
>>between these priorities, and we feel it would help MITRE and the
>>community at large if we make our prioritization explicit.  We have
>>broken down the new list using the following priority tiers:
>> Tier 1: Must Cover - This tier is the same as the current "Must Have"
>>category.  Products in this class should be widely used and likely to be
>>targeted by attackers.
>> Tier 2: Should Cover - Products in this tier should be covered, but
>>full coverage is not required.  Products in this tier should have wide
>>distribution.
>> Tier 3: Can Cover - These products are nice to have.  Products in this
>>list have a more limited distribution or have some other mitigating
>>factor.
>> Tier 4: May Not Cover - This tier contains products that are not named
>>on the list.  These products are given the lowest priority.
>> Tier 5: Must Not Cover - Products that should not be assigned a CVE are
>>included in this tier.  We are not proposing any additions to this tier
>>other than site-specific products, which have been long established as
>>outside the scope of CVE.
>> 
>> Please note that packaging approaches in Linux distributions still
>>present challenges for prioritization.  The definition of coverage for
>>Linux vendors that the Editorial Board previously agreed upon was to
>>publish CVEs for every vulnerability in every package the vendor
>>supports.  This means that by covering Debian, we must also cover the
>>vulnerabilities in products like 0ad, a real-time strategy game.  We
>>don't think that such products should be given the same kind of
>>attention as products like tar or curl.  However, the sheer number of
>>packages Linux vendors support (e.g., according to Wikipedia, Debian has
>>56,864 packages) make prioritizing them individually prohibitive, and we
>>don't think it is worth the Board's time.  We don't have a good way of
>>prioritizing coverage of Linux packages, so we greatly encourage any
>>suggestions from those who do.
>> 
>> As I said earlier in this email, everything mentioned here is simply to
>>start the conversation.  MITRE relies on the Board's guidance, and we
>>fully expect there to be many revisions to our proposal.
>> 
>> -
>> Jonathan Evans
>> CVE Content Technical Lead
>> The MITRE Corporation
>> 
>> ------------------------
>> 
>> TIER 1 - MUST COVER
>>        Adobe
>>        Alcatel-Lucent
>>        Apache Software Foundation: Apache HTTP Server
>>        Apple
>>        CA Technologies
>>        Check Point: Security Gateways product line
>>        Cisco
>>        Citrix
>>        EMC
>>        F5
>>        Fortinet: FortiGate product line
>>        F-Secure
>>        Google: Google Chrome
>>        Hewlett Packard Enterprise
>>        HP Inc.
>>        IBM
>>        Intel: McAfee
>>        Internet Systems Consortium (ISC)
>>        Juniper
>>        kernel.org: Linux kernel
>>        Microsoft
>>        MIT Kerberos
>>        Mozilla
>>        MySQL
>>        OpenLDAP
>>        OpenSSH
>>        OpenSSL
>>        Oracle
>>        PHP
>>        Pulse Secure (formerly Juniper Junos)
>>        SAP
>>        Sendmail
>>        Sophos
>>        Symantec
>>        VMware
>>        WebKit
>>        WordPress
>>        Xen
>> 
>> TIER 2 - SHOULD COVER
>>        A10 Networks
>>        Adtran
>>        AMD
>>        Android (associated with Google or Open Handset Alliance)
>>        Arista Networks
>>        Aruba Networks
>>        Atlassian
>>        Attachmate: Novell
>>        Avast
>>        Avaya
>>        Barracuda Networks
>>        Bitdefender
>>        Blue Coat
>>        Dell: Desktop/Notebook product lines
>>        Dell: SonicWALL Network Security product line
>>        Drupal
>>        ESET
>>        Fortinet
>>        Fujitsu: Desktop/Notebook product lines
>>        Good for Enterprise
>>        Grails
>>        Groovy
>>        Intel
>>        Joomla!
>>        Kaspersky Lab
>>        Lenovo: general-purpose computers, software for general-purpose
>>                operating systems, mobile devices, enterprise storage
>>and networking
>>                products
>>        LibreOffice
>>        LibreSSL
>>        Nvidia
>>        OpenStack
>>        Opera
>>        Palo Alto Networks
>>        Panda Security
>>        Perl
>>        Pivotal
>>        Python
>>        RealNetworks
>>        RIM/BlackBerry
>>        Ruby
>>        Samba
>>        Splunk
>>        Tenable Network Security
>>        Trend Micro
>>        TYPO3
>>        Veritas Software
>>        WatchGuard
>>        Webroot
>>        Websense
>> 
>> TIER 3 - CAN COVER
>>        Agilent
>>        AirWatch
>>        ARCserve
>>        b2evolution
>>        BMC
>>        Borland
>>        Brocade Communications Systems
>>        certificate-transparency
>>        Cloudera
>>        CMS Made Simple
>>        CommuniGate Pro
>>        Corel
>>        CoreMedia CMS
>>        Dart
>>        Dell: general-purpose computers and tablets, software for
>>                general-purpose operating systems, printers, enterprise
>>storage and
>>                networking products
>>        django CMS
>>        docSTAR eclipse
>>        DokuWiki
>>        Dotclear
>>        DotCMS
>>        DotNetNuke
>>        Duo Security
>>        Ektron CMS
>>        Exponent CMS
>>        FirstSpirit
>>        Foswiki
>>        Foxit
>>        FreeSWITCH
>>        Geeklog
>>        Hitachi Information Technology products
>>        HTC
>>        Huawei
>>        iDirect
>>        ikiwiki
>>        ImpressPages
>>        Invision Power Suite
>>        Ipswitch
>>        knockoutjs.com Knockout
>>        LG: mobile devices
>>        Liferay
>>        LiteSpeed Web Server
>>        LogMeIn
>>        Magento
>>        MobileIron
>>        MODX
>>        MoinMoin
>>        Motorola Mobility: mobile devices
>>        Movable Type
>>        Mura CMS
>>        MyBB
>>        NaviServer
>>        NetApp
>>        NetBSD
>>        Nokia
>>        Novius OS
>>        OpenBSD
>>        OpenText FirstClass
>>        OpenXava
>>        Open-Xchange
>>        PhpWiki
>>        PivotX
>>        Play Framework
>>        Plone
>>        Pluck
>>        PmWiki
>>        polymer-project.org Polymer
>>        PowerMTA
>>        Resin
>>        Samsung: mobile devices
>>        SAS
>>        Scalix
>>        SDL Tridion
>>        Serendipity
>>        SilverStripe
>>        Sitecore Experience Platform
>>        SolarWinds
>>        Tibco
>>        Tiki
>>        TrueCrypt
>>        TWiki
>>        Ubiquiti Networks
>>        Umbraco
>>        vBulletin
>>        VeraCrypt
>>        WinZip
>>        Workshare
>>        XOOPS
>>        Zikula
>>        Zimbra Collaboration Suite
>> 
>> TIER 4 - MAY NOT COVER
>>        Any product not specified in any other tier.
>> 
>> TIER 5 - MUST NOT Cover
>>        Site-specific products, e.g. google.com
>> 
>> Unspecified - The vendors in this section support products that have a
>>varying degrees of importance.
>>        Apache Software Foundation: All
>>        Attachmate: SUSE
>>        CentOS
>>        Debian
>>        Fedora
>>        FreeBSD
>>        Gentoo (Linux)
>>        openSUSE
>>        Red Hat
>>        Ubuntu
>
Page Last Updated or Reviewed: January 11, 2016