[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: Sources: Full and Partial Coverage
On Thu, 17 May 2012, Booth, Harold wrote: : > However, if you say "CVE, monitor ProductX", and due to an incomplete list of sources : > being monitored, they end up issuing an ID for only 70% of the vulnerabilities disclosed : > in ProductX, has that met your need? : : No, it has not. But then CVE and everyone else will know that, since the : goal has been defined in terms of "monitor ProductX". Changes to process : and tools will be made to get the number closer to 100%. If the goal is : defined as "monitor sources X, Y and Z" which result in an ID for 70% of : the vulnerabilities disclosed for ProductX there is likely no explicit : step in the process to improve coverage of ProductX. "What gets : measured, gets done," and I believe measuring in terms of products : instead of sources will lead to more desirable results. That is a good point, but not sure if either of us can justify our positions short of "CVE would have to try it" =) In my mind, if you monitor the right sources, you approach 100% for more products in a repeatable fashion, than if you try to go off a list of products first.