RE: CVE Must-Have Coverage

To: "Mann, Dave" <damann@mitre.org>, cve-editorial-board-list<cve-editorial-board-list@LISTS.MITRE.ORG>
Subject: RE: CVE Must-Have Coverage
From: Mike Prosser <mprosser@symantec.com>
Date: Tue, 11 Oct 2011 13:45:30 -0700
Accept-Language: en-US
acceptlanguage: en-US
Delivery-Date: Tue Oct 11 16:44:36 2011
In-Reply-To: <3FF9F74E63A7484EB3B88F04329CBEDC04448C426C@IMCMBX1.MITRE.ORG>
List-Help: <mailto:LISTSERV@LISTS.MITRE.ORG?body=INFO%20CVE-EDITORIAL-BOARD-LIST>
List-Owner: <mailto:CVE-EDITORIAL-BOARD-LIST-request@LISTS.MITRE.ORG>
List-Subscribe: <mailto:CVE-EDITORIAL-BOARD-LIST-subscribe-request@LISTS.MITRE.ORG>
List-Unsubscribe: <mailto:CVE-EDITORIAL-BOARD-LIST-unsubscribe-request@LISTS.MITRE.ORG>
References: <3FF9F74E63A7484EB3B88F04329CBEDC04448C426C@IMCMBX1.MITRE.ORG>
Sender: <owner-cve-editorial-board-list@LISTS.MITRE.ORG>
Thread-Index: AcyIUFmWqHoIl6VxTqa9f6NnBhoc1gABB0AQ
Thread-Topic: CVE Must-Have Coverage

Hi Dave, all

I've been lurking on the list since I am no longer an active participant on the editorial board in my current position.  

In our case, Symantec product advisories are always posted to the Security Focus site as well as to our Advisory page.  The Security Focus site being the much better one to monitor as has been recommended here.  We also coordinate with the finder's/submitters with URLs to our advisories and CVEs, if they don't acquire them, so they can include the info in their advisories/bulletins.

Assume that's a similar case for at least some of the other Non-OS vendors.

-Mike
Symantec Product Security Team
-----Original Message-----
From: owner-cve-editorial-board-list@lists.mitre.org [mailto:owner-cve-editorial-board-list@lists.mitre.org] On Behalf Of Mann, Dave
Sent: Tuesday, October 11, 2011 3:04 PM
To: cve-editorial-board-list
Subject: CVE Must-Have Coverage

Folks,

Below, please find a somewhat stabilizing set of vulnerability sources.

I've tried to capture the best consensus (not pure votes but close).

Please review the list and holler loudly and quickly if you see something you can't live with.   This is a living document so nothing is cast in stone.  Still gaining a level of agreement on the scope is a necessary first step.

I'm particularly concerned at the almost complete lack of desktop or enterprise software packages being called out by vendor.

Some are listed but by no means the majority.  The implication to me is that we're very much relying on non-vendor sources to shed light on these types of software.


-Dave
==================================================================
David Mann | Principal Infosec Scientist | The MITRE Corporation
------------------------------------------------------------------
e-mail:damann@mitre.org | cell:781.424.6003
==================================================================

CVE VULNERABILITY INFORMATION SOURCES - PRIORITY


Government & Related Information Sources
  Must Have
    US-CERT Advisories (aka CERT-CC Advisories) 
    US-CERT Vulnerability Notes (CERT-CC) 
    US-CERT Bulletins (aka Cyber-Notes)   
    CMU/CERT-CC                                 
    DoD IAVAs                             
  Nice To Have
    NISCC                                 
    AUS-CERT                              
    DOE CIRC (formerly CIAC)               


Vendor Published Information
  Must Have
    Microsoft                                   
    RedHat                                      
    Apache                                      
    Apple OSX                                   
    Oracle                                      
    Solaris                                     
    Suse                                        
    Mandriva                                    
    HP-UX                                       
    AIX                                         
    Cisco IOS                                   
    Free BSD                                    
    Open BSD                                    
    Net BSD                                     
    Gentoo (Linux)                              
    Ubuntu (Linux)                              
    Adobe
    Mozilla
    Google Chrome
  Nice To Have  
    Debian                                      
    SCO     
    Cisco


Mailing Lists & VDBs
  Must Have
    Bugtraq                                     
    Full Disclosure                             
    Security Focus                              
    Security Tracker                            
    OSVDB                                       
    Oss-security                                
  Nice To Have
    ISS X-Force                                 
    FRSIRT  (VUPEN)                             
    Secunia                                     
    SecuriTeam                                  
    Metasploit                                  
    Snort                                       
    Contagiodump.blogspot.com                   
  Ignore
    Vuln-Watch                                  
    VulnDev                                     
    Packet Storm                                
    SANS Mailing List (Qualys)                  ]
    Neohapsis (Security Threat Watch)

References:
- CVE Must-Have Coverage
  - From: "Mann, Dave" <damann@mitre.org>

Prev by Date: CVE Response Time
Next by Date: Re: Update Disclosure Sources List - Please Vote!
Prev by thread: CVE Must-Have Coverage
Next by thread: Re: CVE Must-Have Coverage
Index(es):
- Date
- Thread

Page Last Updated: November 06, 2012

Common Vulnerabilities and Exposures

RE: CVE Must-Have Coverage