[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Updating the Products and Sources list.

Symantec is CNA for all things Symantec but also work closely at times with CERT on assignments.  We get some submitters occasionally who have already gone VFR direct to MITRE for a CVE for their finding.  MITRE has always redirected them back to us as the keeper of the Symantec keys...

-Mike Prosser
Symantec Software Security Group

-----Original Message-----
From: owner-cve-editorial-board-list@lists.mitre.org [mailto:owner-cve-editorial-board-list@lists.mitre.org] On Behalf Of Andy Balinsky (balinsky)
Sent: Thursday, January 07, 2016 3:57 PM
To: Landfield, Kent B
Cc: Evans, Jonathan L.; cve-editorial-board-list
Subject: Re: Updating the Products and Sources list.

Cisco is a CNA for all Cisco issues. When we occasionally get requests from an external party to assign one for a third party product, we send them to CERT.


> On Jan 7, 2016, at 3:37 PM, Landfield, Kent B <kent.b.landfield@intel.com> wrote:
> So which of these products / vendors have associated CNAs that should already be covered and are outside of MITRE's direct assignment responsibility? Could the list be enriched with that information?
> If we have CNAs for specific areas/items then we need to identify them. I have been under the impression the products / sources lists were for MITRE's use directly.
> ---
> Kent Landfield
> +1.817.637.8026
> From: <owner-cve-editorial-board-list@lists.mitre.org<mailto:owner-cve-editorial-board-list@lists.mitre.org>> on behalf of "Evans, Jonathan L." <jevans@mitre.org<mailto:jevans@mitre.org>>
> Date: Thursday, January 7, 2016 at 2:00 PM
> To: cve-editorial-board-list <cve-editorial-board-list@lists.mitre.org<mailto:cve-editorial-board-list@lists.mitre.org>>
> Subject: Updating the Products and Sources list.
> All,
> Several years have passed since the creation of the Products and Sources list (http://cve.mitre.org/data/board/archives/2012-09/msg00000.html), which MITRE uses to prioritize CVE coverage. Since that time, products have changed names, the importance of products have changed, sources have come and gone, etc.  It is well past time for an update.  MITRE is seeking the Editorial Board's guidance on what the updated list should contain.  We have included a new proposed list below to kick off the discussion.
> When we went through this process in 2012, MITRE was looking for advice on prioritization of CVE processing, so we focused on the sources we use to create the CVEs.  This time, we want help with prioritizing both reservation request processing and CVE processing.  Since we rarely know the source the requester will use at the time of reservation but we often, though not always, know the product, our proposed updates consist largely of new products.  The sources section still needs updating but we think focusing on products will provide the largest impact for the effort.
> Along with the expanded product list, we included a more granular prioritization system.  On the current list, the priorities are "Must Have" and everything else.  We believe there are products that fall between these priorities, and we feel it would help MITRE and the community at large if we make our prioritization explicit.  We have broken down the new list using the following priority tiers:
> Tier 1: Must Cover - This tier is the same as the current "Must Have" category.  Products in this class should be widely used and likely to be targeted by attackers.
> Tier 2: Should Cover - Products in this tier should be covered, but full coverage is not required.  Products in this tier should have wide distribution.
> Tier 3: Can Cover - These products are nice to have.  Products in this list have a more limited distribution or have some other mitigating factor.
> Tier 4: May Not Cover - This tier contains products that are not named on the list.  These products are given the lowest priority.
> Tier 5: Must Not Cover - Products that should not be assigned a CVE are included in this tier.  We are not proposing any additions to this tier other than site-specific products, which have been long established as outside the scope of CVE.
> Please note that packaging approaches in Linux distributions still present challenges for prioritization.  The definition of coverage for Linux vendors that the Editorial Board previously agreed upon was to publish CVEs for every vulnerability in every package the vendor supports.  This means that by covering Debian, we must also cover the vulnerabilities in products like 0ad, a real-time strategy game.  We don't think that such products should be given the same kind of attention as products like tar or curl.  However, the sheer number of packages Linux vendors support (e.g., according to Wikipedia, Debian has 56,864 packages) make prioritizing them individually prohibitive, and we don't think it is worth the Board's time.  We don't have a good way of prioritizing coverage of Linux packages, so we greatly encourage any suggestions from those who do.
> As I said earlier in this email, everything mentioned here is simply to start the conversation.  MITRE relies on the Board's guidance, and we fully expect there to be many revisions to our proposal.
> -
> Jonathan Evans
> CVE Content Technical Lead
> The MITRE Corporation
> ------------------------
>        Adobe
>        Alcatel-Lucent
>        Apache Software Foundation: Apache HTTP Server
>        Apple
>        CA Technologies
>        Check Point: Security Gateways product line
>        Cisco
>        Citrix
>        EMC
>        F5
>        Fortinet: FortiGate product line
>        F-Secure
>        Google: Google Chrome
>        Hewlett Packard Enterprise
>        HP Inc.
>        IBM
>        Intel: McAfee
>        Internet Systems Consortium (ISC)
>        Juniper
>        kernel.org: Linux kernel
>        Microsoft
>        MIT Kerberos
>        Mozilla
>        MySQL
>        OpenLDAP
>        OpenSSH
>        OpenSSL
>        Oracle
>        PHP
>        Pulse Secure (formerly Juniper Junos)
>        SAP
>        Sendmail
>        Sophos
>        Symantec
>        VMware
>        WebKit
>        WordPress
>        Xen
>        A10 Networks
>        Adtran
>        AMD
>        Android (associated with Google or Open Handset Alliance)
>        Arista Networks
>        Aruba Networks
>        Atlassian
>        Attachmate: Novell
>        Avast
>        Avaya
>        Barracuda Networks
>        Bitdefender
>        Blue Coat
>        Dell: Desktop/Notebook product lines
>        Dell: SonicWALL Network Security product line
>        Drupal
>        ESET
>        Fortinet
>        Fujitsu: Desktop/Notebook product lines
>        Good for Enterprise
>        Grails
>        Groovy
>        Intel
>        Joomla!
>        Kaspersky Lab
>        Lenovo: general-purpose computers, software for general-purpose
>                operating systems, mobile devices, enterprise storage and networking
>                products
>        LibreOffice
>        LibreSSL
>        Nvidia
>        OpenStack
>        Opera
>        Palo Alto Networks
>        Panda Security
>        Perl
>        Pivotal
>        Python
>        RealNetworks
>        RIM/BlackBerry
>        Ruby
>        Samba
>        Splunk
>        Tenable Network Security
>        Trend Micro
>        TYPO3
>        Veritas Software
>        WatchGuard
>        Webroot
>        Websense
>        Agilent
>        AirWatch
>        ARCserve
>        b2evolution
>        BMC
>        Borland
>        Brocade Communications Systems
>        certificate-transparency
>        Cloudera
>        CMS Made Simple
>        CommuniGate Pro
>        Corel
>        CoreMedia CMS
>        Dart
>        Dell: general-purpose computers and tablets, software for
>                general-purpose operating systems, printers, enterprise storage and
>                networking products
>        django CMS
>        docSTAR eclipse
>        DokuWiki
>        Dotclear
>        DotCMS
>        DotNetNuke
>        Duo Security
>        Ektron CMS
>        Exponent CMS
>        FirstSpirit
>        Foswiki
>        Foxit
>        FreeSWITCH
>        Geeklog
>        Hitachi Information Technology products
>        HTC
>        Huawei
>        iDirect
>        ikiwiki
>        ImpressPages
>        Invision Power Suite
>        Ipswitch
>        knockoutjs.com Knockout
>        LG: mobile devices
>        Liferay
>        LiteSpeed Web Server
>        LogMeIn
>        Magento
>        MobileIron
>        MODX
>        MoinMoin
>        Motorola Mobility: mobile devices
>        Movable Type
>        Mura CMS
>        MyBB
>        NaviServer
>        NetApp
>        NetBSD
>        Nokia
>        Novius OS
>        OpenBSD
>        OpenText FirstClass
>        OpenXava
>        Open-Xchange
>        PhpWiki
>        PivotX
>        Play Framework
>        Plone
>        Pluck
>        PmWiki
>        polymer-project.org Polymer
>        PowerMTA
>        Resin
>        Samsung: mobile devices
>        SAS
>        Scalix
>        SDL Tridion
>        Serendipity
>        SilverStripe
>        Sitecore Experience Platform
>        SolarWinds
>        Tibco
>        Tiki
>        TrueCrypt
>        TWiki
>        Ubiquiti Networks
>        Umbraco
>        vBulletin
>        VeraCrypt
>        WinZip
>        Workshare
>        XOOPS
>        Zikula
>        Zimbra Collaboration Suite
>        Any product not specified in any other tier.
> TIER 5 - MUST NOT Cover
>        Site-specific products, e.g. google.com
> Unspecified - The vendors in this section support products that have a varying degrees of importance.
>        Apache Software Foundation: All
>        Attachmate: SUSE
>        CentOS
>        Debian
>        Fedora
>        FreeBSD
>        Gentoo (Linux)
>        openSUSE
>        Red Hat
>        Ubuntu

Page Last Updated or Reviewed: January 08, 2016