|
|
|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: Sources: Full and Partial Coverage
On 5/17/12 4:57 PM, security curmudgeon wrote: > On Thu, 17 May 2012, Booth, Harold wrote: > > : > However, if you say "CVE, monitor ProductX", and due to an incomplete list of sources > : > being monitored, they end up issuing an ID for only 70% of the vulnerabilities disclosed > : > in ProductX, has that met your need? > : > : No, it has not. But then CVE and everyone else will know that, since the > : goal has been defined in terms of "monitor ProductX". Changes to process > : and tools will be made to get the number closer to 100%. If the goal is > : defined as "monitor sources X, Y and Z" which result in an ID for 70% of > : the vulnerabilities disclosed for ProductX there is likely no explicit > : step in the process to improve coverage of ProductX. "What gets > : measured, gets done," and I believe measuring in terms of products > : instead of sources will lead to more desirable results. > > That is a good point, but not sure if either of us can justify our > positions short of "CVE would have to try it" =) > > In my mind, if you monitor the right sources, you approach 100% for more > products in a repeatable fashion, than if you try to go off a list of > products first. I'm being a bit of a jerk on purpose, but I have a gmail account that is subscribed to a bunch of vul mailing lists and feeds. CVE should monitor that list, and only that list. The owner or users of a source (whomever can post content) decide what products are covered. Talking about sources is a reasonable (and practical) proxy for talking about products. But in strict requirements terms, coverage should be about products, or types of vulnerabilities, or languages. - Art
|
||||
