Distribution of mappings to vendors/others - opinions please
This could be a touchy subject, so I've tried to word things
Does anybody who is NOT a vendor have a problem with me giving each
vendor my mappings, only for their own tools? There may be a concern
that the vendors could use these mappings for "marketing purposes"
earlier than they are "supposed to" (e.g. before public release.)
Would the vendors be able to guarantee that these mappings wouldn't be
used for any marketing purposes, at least before public release of the
CVE? Note that this particular issue may be a touchy one with my
management, so everyone's input will go a long way.
I recognize that giving the vendors my current mappings for their
tools would reduce duplicate efforts, and help them to more
efficiently assess how the CVE may apply to their databases. It is my
opinion that MITRE should respect the vendors' requests for "privacy"
in limiting the distribution of unreviewed mappings to their tools.
However, I know that this might not appear entirely kosher to others.
Each of my mappings dates to around February. About 100 CVE
vulnerabilities are shared across all/most tools, so we could do a
"sub-mapping" if people have problems with me providing the entire
mappings. The entire mappings are between 50% and 80% complete with
respect to the current CVE version. They have some inaccuracies due
to incomplete descriptive text in the vulnerability lists. I have
mappings for ISS Internet Scanner, Real Secure, and System Security
Scanner, Netect HackerShield, Axent NetRecon (without their own
vulnerability ID's), an old version of NetSonar, and CyberCop Scanner.
In the spirit of fairness and efficiency, I would be willing to offer
a "mapping service" to others in this input forum who have their own
vulnerability databases, provided you can give me a text dump of the
database's descriptive text and its identifier (if any). I'm familiar
enough with the CVE and the advanced mapping script to be able to
create a reasonable mapping in a few hours (assuming the database has
similar content for the CVE). Of course, the long term maintenance of
the mappings will be the database owner's responsibility, as Dave
indicated on Sunday.
To the non-ISS vendors, note that because I utilized the X-Force
database during CVE research, there are already a lot of references in
there that implicitly form a partial mapping, although ISS has
explicitly NOT utilized this information yet.