|
|
|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] RE: Sources: Full and Partial Coverage
Folks, Three comments... 1) Our language has moved from "must have/nice to have" to "fully covered/partially covered". 2) In our current discussion, we are only considering sources that you all identified as "must haves" in our prior discussion. The list that I posted last Friday broke your previous "must haves" into 2 sub-groups: sources that the CVE team agrees should be "fully covered" and sources that the CVE team believes should be demoted to "partially covered status". THE PRIMARY QUESTIONS WE'RE SEEKING GUIDANCE ON ARE: A) SHOULD ANY OF OUR SUGGESTED PARTIALLY COVERED SOURCES BE PROMOTED BACK TO FULLY COVERED STATUS? B) ARE THERE ANY OTHER SOURCES YOU BELIEVE SHOULD BE FULLY COVERED? 3) As you consider these questions, please bear in mind that we have a very long list of sources previously designated as "nice to have". We would ask that you hold your suggestions for other partially covered sources (aka nice to have) source for later when we consider the full list of partially covered sources (in addition to those we suggest demoting). Here are the lists again, along with a list of sources that have been nominated as needing to be fully covered. We would like more discussion on the fully covered sets. Note, we may not be able to cover all of the sources being nominated as full coverage, so please consider and defend your nominations in that light. SHOULD BE FULLY COVERED ----------------------- US-CERT: Technical Cyber Security Alerts RealNetworks (real.com) Apple EMC, as published through Bugtraq VMware Google: Google Chrome (includes WebKit) IBM: issues in IBM ISS X-Force Database Internet Systems Consortium (ISC) MIT Kerberos Adobe Apache Software Foundation: Apache HTTP Server Cisco: Security Advisories/Responses HP: Security Bulletins Microsoft: Security Bulletins/Advisories Mozilla Oracle SHOULD BE MONITORED BUT SELECTIVELY COVERED (being demoted) ------------------------------------------- US-CERT: Vulnerability Notes [1] Symantec: SecurityFocus BugTraq (securityfocus.com/archive/1) [1] Symantec: SecurityFocus Bugtraq ID (securityfocus.com/bid) [1] Full Disclosure [1] OSVDB [1] SecurityTracker [1] FreeBSD [2] NetBSD [2] OpenBSD [2] Mandriva [2] oss-security [3] IBM: issues not in IBM ISS X-Force Database [4] PRESENT BIG CHALLENGES THAT MERIT DISCUSSION AT A LATER TIME ------------------------------------------------------------ Debian Red Hat Attachmate: SUSE Ubuntu (Linux) Requests for Additional Fully-Covered Sources ---------------------------------------------- Juniper - JTAC Technical Bulletins Citrix / Xen ASF: Apache Tomcat Samba Security Updates and Information PHP FoxIt Support Center - Security Advisories Symantec Security (Not BIDs but actual Symantec Advisories) McAfee Security Exploit Database (for entries containing exploit code) -Dave ================================================================== David Mann | Principal Infosec Scientist | The MITRE Corporation ------------------------------------------------------------------ e-mail:damann@mitre.org | cell:781.424.6003 ==================================================================
|
||||
