|
|
|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] CVE Information Sources & Scope
Folks, I've been away at a conference and just back so thought I would nudge the conversation regarding CVE forward. We really need to push further on questions of scope before we can talk about staffing, speed and quality issues. Below (under my sig file) is a list of possible information sources that CVE could use. This list is not meant to be complete, or even framed in the most helpful way. But, I want to get some form of specifics out to foster more discussion. I've organized this into 4 groups: Government Information Sources, CNA Published Information, Non-CNA Vendor Advisories, Mailing Lists & VDBs. Please review each sub-list and categorize each information source as: + must have + nice to have + should be ignored The yard-stick by which to consider these is, does CVE need to capture vulnerabilities from this source in order to full-fill its charter? Also, if you see any "must have" or "nice to have" information source, please add them to the list and -Dave ================================================================== David Mann | Principal Infosec Scientist | The MITRE Corporation ------------------------------------------------------------------ e-mail:damann@mitre.org | cell:781.424.6003 ================================================================== Government Information Sources US-CERT Advisories (aka CERT-CC Advisories) US-CERT Vulnerability Notes (CERT-CC) US-CERT Bulletins (aka Cyber-Notes) DoD IAVAs NISCC AUS-CERT CIAC CNA Published Information CMU/CERT-CC Microsoft RedHat Debian Apache Apple OSX Oracle Non-CNA Vendor Advisories Solaris Suse Mandriva HP-UX SCO AIX Cisco IOS Free BSD Open BSD Net BSD Gentoo (Linux) Ubuntu (Linux) Mailing Lists & VDBs Bugtraq Vuln-Watch VulnDev Full Disclosure Security Focus Security Tracker OSVDB ISS X-Force FRSIRT Secunia Packet Storm SecuriTeam SANS Mailing List (Qualys) Neohapsis (Security Threat Watch)
|
||||
