[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Updating the Products and Sources list.



Hi Kent,

It does until the formal separation at which time the new Veritas SSG team
will pick up requesting CVEs through Mitre as necessary.  They are also aware
of becoming a CNA for Veritas so may be working to set that up at some point.

-Mike
Symantec Software Security Group


-----Original Message-----
From: Landfield, Kent B [mailto:kent.b.landfield@intel.com]
Sent: Friday, January 08, 2016 11:39 AM
To: Mike Prosser
Cc: Evans, Jonathan L.; cve-editorial-board-list
Subject: Re: Updating the Products and Sources list.

Hi Mike,

Does that assignment responsibility also extend to Veritas Software as well?

Thanks.
---
Kent Landfield
+1.817.637.8026




On 1/8/16, 8:56 AM, "Mike Prosser" <mprosser@symantec.com> wrote:

>Symantec is CNA for all things Symantec but also work closely at times 
>with CERT on assignments.  We get some submitters occasionally who have 
>already gone VFR direct to MITRE for a CVE for their finding.  MITRE 
>has always redirected them back to us as the keeper of the Symantec keys...
>
>-Mike Prosser
>Symantec Software Security Group
>
>-----Original Message-----
>From: owner-cve-editorial-board-list@lists.mitre.org
>[mailto:owner-cve-editorial-board-list@lists.mitre.org] On Behalf Of 
>Andy Balinsky (balinsky)
>Sent: Thursday, January 07, 2016 3:57 PM
>To: Landfield, Kent B
>Cc: Evans, Jonathan L.; cve-editorial-board-list
>Subject: Re: Updating the Products and Sources list.
>
>Cisco is a CNA for all Cisco issues. When we occasionally get requests 
>from an external party to assign one for a third party product, we send 
>them to CERT.
>
>Andy
>
>> On Jan 7, 2016, at 3:37 PM, Landfield, Kent B 
>><kent.b.landfield@intel.com> wrote:
>> 
>> So which of these products / vendors have associated CNAs that should 
>>already be covered and are outside of MITRE's direct assignment 
>>responsibility? Could the list be enriched with that information?
>> 
>> If we have CNAs for specific areas/items then we need to identify them.
>>I have been under the impression the products / sources lists were for 
>>MITRE's use directly.
>> ---
>> Kent Landfield
>> +1.817.637.8026
>> 
>> From: 
>><owner-cve-editorial-board-list@lists.mitre.org<mailto:owner-cve-edito
>>ria l-board-list@lists.mitre.org>> on behalf of "Evans, Jonathan L."
>><jevans@mitre.org<mailto:jevans@mitre.org>>
>> Date: Thursday, January 7, 2016 at 2:00 PM
>> To: cve-editorial-board-list
>><cve-editorial-board-list@lists.mitre.org<mailto:cve-editorial-board-l
>>ist
>>@lists.mitre.org>>
>> Subject: Updating the Products and Sources list.
>> 
>> All,
>> 
>> Several years have passed since the creation of the Products and 
>>Sources list 
>>(http://cve.mitre.org/data/board/archives/2012-09/msg00000.html), 
>>which MITRE uses to prioritize CVE coverage. Since that time, products 
>>have changed names, the importance of products have changed, sources 
>>have come and gone, etc.  It is well past time for an update.  MITRE 
>>is seeking the Editorial Board's guidance on what the updated list 
>>should contain.  We have included a new proposed list below to kick 
>>off the discussion.
>> 
>> When we went through this process in 2012, MITRE was looking for 
>>advice on prioritization of CVE processing, so we focused on the 
>>sources we use to create the CVEs.  This time, we want help with 
>>prioritizing both reservation request processing and CVE processing.  
>>Since we rarely know the source the requester will use at the time of 
>>reservation but we often, though not always, know the product, our 
>>proposed updates consist largely of new products.  The sources section 
>>still needs updating but we think focusing on products will provide 
>>the largest impact for the effort.
>> 
>> Along with the expanded product list, we included a more granular 
>>prioritization system.  On the current list, the priorities are "Must 
>>Have" and everything else.  We believe there are products that fall 
>>between these priorities, and we feel it would help MITRE and the 
>>community at large if we make our prioritization explicit.  We have 
>>broken down the new list using the following priority tiers:
>> Tier 1: Must Cover - This tier is the same as the current "Must Have"
>>category.  Products in this class should be widely used and likely to 
>>be targeted by attackers.
>> Tier 2: Should Cover - Products in this tier should be covered, but 
>>full coverage is not required.  Products in this tier should have wide 
>>distribution.
>> Tier 3: Can Cover - These products are nice to have.  Products in 
>>this list have a more limited distribution or have some other 
>>mitigating factor.
>> Tier 4: May Not Cover - This tier contains products that are not 
>>named on the list.  These products are given the lowest priority.
>> Tier 5: Must Not Cover - Products that should not be assigned a CVE 
>>are included in this tier.  We are not proposing any additions to this 
>>tier other than site-specific products, which have been long 
>>established as outside the scope of CVE.
>> 
>> Please note that packaging approaches in Linux distributions still 
>>present challenges for prioritization.  The definition of coverage for 
>>Linux vendors that the Editorial Board previously agreed upon was to 
>>publish CVEs for every vulnerability in every package the vendor 
>>supports.  This means that by covering Debian, we must also cover the 
>>vulnerabilities in products like 0ad, a real-time strategy game.  We 
>>don't think that such products should be given the same kind of 
>>attention as products like tar or curl.  However, the sheer number of 
>>packages Linux vendors support (e.g., according to Wikipedia, Debian 
>>has
>>56,864 packages) make prioritizing them individually prohibitive, and 
>>we don't think it is worth the Board's time.  We don't have a good way 
>>of prioritizing coverage of Linux packages, so we greatly encourage 
>>any suggestions from those who do.
>> 
>> As I said earlier in this email, everything mentioned here is simply 
>>to start the conversation.  MITRE relies on the Board's guidance, and 
>>we fully expect there to be many revisions to our proposal.
>> 
>> -
>> Jonathan Evans
>> CVE Content Technical Lead
>> The MITRE Corporation
>> 
>> ------------------------
>> 
>> TIER 1 - MUST COVER
>>        Adobe
>>        Alcatel-Lucent
>>        Apache Software Foundation: Apache HTTP Server
>>        Apple
>>        CA Technologies
>>        Check Point: Security Gateways product line
>>        Cisco
>>        Citrix
>>        EMC
>>        F5
>>        Fortinet: FortiGate product line
>>        F-Secure
>>        Google: Google Chrome
>>        Hewlett Packard Enterprise
>>        HP Inc.
>>        IBM
>>        Intel: McAfee
>>        Internet Systems Consortium (ISC)
>>        Juniper
>>        kernel.org: Linux kernel
>>        Microsoft
>>        MIT Kerberos
>>        Mozilla
>>        MySQL
>>        OpenLDAP
>>        OpenSSH
>>        OpenSSL
>>        Oracle
>>        PHP
>>        Pulse Secure (formerly Juniper Junos)
>>        SAP
>>        Sendmail
>>        Sophos
>>        Symantec
>>        VMware
>>        WebKit
>>        WordPress
>>        Xen
>> 
>> TIER 2 - SHOULD COVER
>>        A10 Networks
>>        Adtran
>>        AMD
>>        Android (associated with Google or Open Handset Alliance)
>>        Arista Networks
>>        Aruba Networks
>>        Atlassian
>>        Attachmate: Novell
>>        Avast
>>        Avaya
>>        Barracuda Networks
>>        Bitdefender
>>        Blue Coat
>>        Dell: Desktop/Notebook product lines
>>        Dell: SonicWALL Network Security product line
>>        Drupal
>>        ESET
>>        Fortinet
>>        Fujitsu: Desktop/Notebook product lines
>>        Good for Enterprise
>>        Grails
>>        Groovy
>>        Intel
>>        Joomla!
>>        Kaspersky Lab
>>        Lenovo: general-purpose computers, software for general-purpose
>>                operating systems, mobile devices, enterprise storage 
>>and networking
>>                products
>>        LibreOffice
>>        LibreSSL
>>        Nvidia
>>        OpenStack
>>        Opera
>>        Palo Alto Networks
>>        Panda Security
>>        Perl
>>        Pivotal
>>        Python
>>        RealNetworks
>>        RIM/BlackBerry
>>        Ruby
>>        Samba
>>        Splunk
>>        Tenable Network Security
>>        Trend Micro
>>        TYPO3
>>        Veritas Software
>>        WatchGuard
>>        Webroot
>>        Websense
>> 
>> TIER 3 - CAN COVER
>>        Agilent
>>        AirWatch
>>        ARCserve
>>        b2evolution
>>        BMC
>>        Borland
>>        Brocade Communications Systems
>>        certificate-transparency
>>        Cloudera
>>        CMS Made Simple
>>        CommuniGate Pro
>>        Corel
>>        CoreMedia CMS
>>        Dart
>>        Dell: general-purpose computers and tablets, software for
>>                general-purpose operating systems, printers, 
>>enterprise storage and
>>                networking products
>>        django CMS
>>        docSTAR eclipse
>>        DokuWiki
>>        Dotclear
>>        DotCMS
>>        DotNetNuke
>>        Duo Security
>>        Ektron CMS
>>        Exponent CMS
>>        FirstSpirit
>>        Foswiki
>>        Foxit
>>        FreeSWITCH
>>        Geeklog
>>        Hitachi Information Technology products
>>        HTC
>>        Huawei
>>        iDirect
>>        ikiwiki
>>        ImpressPages
>>        Invision Power Suite
>>        Ipswitch
>>        knockoutjs.com Knockout
>>        LG: mobile devices
>>        Liferay
>>        LiteSpeed Web Server
>>        LogMeIn
>>        Magento
>>        MobileIron
>>        MODX
>>        MoinMoin
>>        Motorola Mobility: mobile devices
>>        Movable Type
>>        Mura CMS
>>        MyBB
>>        NaviServer
>>        NetApp
>>        NetBSD
>>        Nokia
>>        Novius OS
>>        OpenBSD
>>        OpenText FirstClass
>>        OpenXava
>>        Open-Xchange
>>        PhpWiki
>>        PivotX
>>        Play Framework
>>        Plone
>>        Pluck
>>        PmWiki
>>        polymer-project.org Polymer
>>        PowerMTA
>>        Resin
>>        Samsung: mobile devices
>>        SAS
>>        Scalix
>>        SDL Tridion
>>        Serendipity
>>        SilverStripe
>>        Sitecore Experience Platform
>>        SolarWinds
>>        Tibco
>>        Tiki
>>        TrueCrypt
>>        TWiki
>>        Ubiquiti Networks
>>        Umbraco
>>        vBulletin
>>        VeraCrypt
>>        WinZip
>>        Workshare
>>        XOOPS
>>        Zikula
>>        Zimbra Collaboration Suite
>> 
>> TIER 4 - MAY NOT COVER
>>        Any product not specified in any other tier.
>> 
>> TIER 5 - MUST NOT Cover
>>        Site-specific products, e.g. google.com
>> 
>> Unspecified - The vendors in this section support products that have 
>>a varying degrees of importance.
>>        Apache Software Foundation: All
>>        Attachmate: SUSE
>>        CentOS
>>        Debian
>>        Fedora
>>        FreeBSD
>>        Gentoo (Linux)
>>        openSUSE
>>        Red Hat
>>        Ubuntu
>


Page Last Updated or Reviewed: January 14, 2016