[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

CVE Information Sources & Scope



Folks,

I've been away at a conference and just back so thought I would nudge the conversation regarding CVE forward.

We really need to push further on questions of scope before we can talk about staffing, speed and quality issues.

Below (under my sig file) is a list of possible information sources that CVE could use.  This list is not meant to be complete, or even framed in the most helpful way.   But, I want to get some form of specifics out to foster more discussion.

I've organized this into 4 groups: Government Information Sources, CNA Published Information, Non-CNA Vendor Advisories, Mailing Lists & VDBs.

Please review each sub-list and categorize each information source as:
+ must have
+ nice to have
+ should be ignored

The yard-stick by which to consider these is, does CVE need to capture vulnerabilities from this source in order to full-fill its charter?

Also, if you see any "must have" or "nice to have"  information source, please add them to the list and 


-Dave
==================================================================
David Mann | Principal Infosec Scientist | The MITRE Corporation
------------------------------------------------------------------
e-mail:damann@mitre.org | cell:781.424.6003
==================================================================


Government Information Sources
  US-CERT Advisories (aka CERT-CC Advisories)
  US-CERT Vulnerability Notes (CERT-CC)
  US-CERT Bulletins (aka Cyber-Notes)
  DoD IAVAs 
  NISCC
  AUS-CERT
  CIAC


CNA Published Information
  CMU/CERT-CC
  Microsoft
  RedHat
  Debian
  Apache
  Apple OSX
  Oracle

  
Non-CNA Vendor Advisories
  Solaris 
  Suse 
  Mandriva
  HP-UX
  SCO
  AIX
  Cisco IOS
  Free BSD
  Open BSD
  Net BSD
  Gentoo (Linux)
  Ubuntu (Linux)



Mailing Lists & VDBs
  Bugtraq
  Vuln-Watch
  VulnDev
  Full Disclosure
  Security Focus
  Security Tracker
  OSVDB
  ISS X-Force
  FRSIRT
  Secunia
  Packet Storm
  SecuriTeam
  SANS Mailing List (Qualys)
  Neohapsis (Security Threat Watch)



 
Page Last Updated: November 06, 2012