Re: CVE Information Sources & Scope

To: "Mann, Dave" <damann@mitre.org>
Subject: Re: CVE Information Sources & Scope
From: Art Manion <amanion@cert.org>
Date: Tue, 4 Oct 2011 14:22:05 -0400
CC: cve-editorial-board-list <cve-editorial-board-list@LISTS.MITRE.ORG>
Delivery-Date: Tue Oct 4 14:22:16 2011
In-Reply-To: <3FF9F74E63A7484EB3B88F04329CBEDC04448126E0@IMCMBX1.MITRE.ORG>
List-Help: <mailto:LISTSERV@LISTS.MITRE.ORG?body=INFO%20CVE-EDITORIAL-BOARD-LIST>
List-Owner: <mailto:CVE-EDITORIAL-BOARD-LIST-request@LISTS.MITRE.ORG>
List-Subscribe: <mailto:CVE-EDITORIAL-BOARD-LIST-subscribe-request@LISTS.MITRE.ORG>
List-Unsubscribe: <mailto:CVE-EDITORIAL-BOARD-LIST-unsubscribe-request@LISTS.MITRE.ORG>
OpenPGP: id=36C268A3
References: <3FF9F74E63A7484EB3B88F04329CBEDC04448126E0@IMCMBX1.MITRE.ORG>
Sender: <owner-cve-editorial-board-list@LISTS.MITRE.ORG>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:7.0.1) Gecko/20110929 Thunderbird/7.0.1

> Government Information Sources

>   US-CERT Advisories (aka CERT-CC Advisories)
Must have.  Although largely republication at the moment, we expect this
to change, and volume is fairly low.

>   US-CERT Vulnerability Notes (CERT-CC)
Must have.

>   US-CERT Bulletins (aka Cyber-Notes)
These are collections of already public reports, possibly generated from
CVE even?

>   DoD IAVAs 
Doubt usefulness.  Republication well after CVE has been assigned?

>   NISCC
Good to watch, new vul reports rarely come out.

>   AUS-CERT
Almost exclusively republication.  AusCERT even provides a list of what
products/vendors they monitor (or did).

>   CIAC
Name changed, believe this is entirely republication.

> CNA Published Information
>   CMU/CERT-CC
Must have, but included in US-CERT vul notes and Alerts above.

>   Microsoft
>   RedHat
>   Debian
>   Apache
>   Apple OSX
>   Oracle
Must have.

> Non-CNA Vendor Advisories
>   Solaris 
>   Suse 
>   Mandriva
>   HP-UX
>   SCO
>   AIX
>   Cisco IOS
>   Free BSD
>   Open BSD
>   Net BSD
>   Gentoo (Linux)
>   Ubuntu (Linux)
Must have, although as usual lots of duplication across linux/UNIX distros.


> Mailing Lists & VDBs

It's been a while since I watched any of these closely.

>   Bugtraq
Must have.

>   Vuln-Watch
>   VulnDev
Not sure what these are like anymore.  Seemed to be low signal.

>   Full Disclosure
Lots of noise, but new reports come out.  Must have.

>   Security Focus
Bugtraq?  Or other lists?

>   Security Tracker
Not sure of current quality/signal.

>   OSVDB
Must have, because they're trying to be reference complete.

>   ISS X-Force

>   FRSIRT
Changed name again -- VUPEN?  If they provide original reports, then
must have.

>   Secunia
Good to have.

>   Packet Storm
No longer familiar, seems dated.

>   SecuriTeam
No longer familiar.

>   SANS Mailing List (Qualys)
Don't know about new vul reports here.

>   Neohapsis (Security Threat Watch)
Only know about their archive service.


IMO, any and every source of "OC" (original content, original vul
reports) should be monitored, starting with major vendors, CNAs, and
sources with high quality signal (even if they are also noisy).


 - Art

References:
- CVE Information Sources & Scope
  - From: "Mann, Dave" <damann@mitre.org>

Prev by Date: RE: CVE Information Sources & Scope
Next by Date: RE: CVE Information Sources & Scope
Prev by thread: Re: CVE Information Sources & Scope
Next by thread: Re: CVE Information Sources & Scope
Index(es):
- Date
- Thread

Page Last Updated: November 06, 2012

Common Vulnerabilities and Exposures

Re: CVE Information Sources & Scope