[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Sources: Full and Partial Coverage



Hi,

Since I just joined I am probably missing some of the context so excuse me if
I am asking known things.

What is the criteria for selecting who will fall into which category? You are
mentioning 'priority' - in what sense you meant it?

Thanks,

Gaus


On Fri, May 04, 2012 at 09:59:06PM +0000, Mann, Dave wrote:
> All,
> 
> We seek your input on the following sets of sources of vulnerability information.  All of the sources in the following list have been identified in our prior discussions as "must-haves".
> 
> We are breaking this list into 3 groups:
> + Sources that should be fully covered
> + Sources that should be monitored but selectively covered
> + Sources that present big challenges meriting further discussion
> 
> For the purpose of our current discussions, we would like your feedback, reactions and input on these first 2 groups.  The primary question is, should any in the first group be demoted to the second and, conversely, should any from the second group be promoted to the first.
> 
> As you consider these groups, understand that we are discussing prioritization, not feasibility.  It may be the case that CVE's current practices will need to be changed to provide the stated coverage goals for some of these sources.  We'll address that issue in later email discussions.
> 
> We'll give some indications as to why we think the second group should be only partially covered below.
> 
> 
> SHOULD BE FULLY COVERED
> -----------------------
> US-CERT: Technical Cyber Security Alerts
> RealNetworks (real.com)
> Apple
> EMC, as published through Bugtraq
> VMware
> Google: Google Chrome (includes WebKit)
> IBM: issues in IBM ISS X-Force Database
> Internet Systems Consortium (ISC)
> MIT Kerberos
> Adobe
> Apache Software Foundation: Apache HTTP Server
> Cisco: Security Advisories/Responses
> HP: Security Bulletins                         
> Microsoft: Security Bulletins/Advisories
> Mozilla
> Oracle                                      
> 
> 
> SHOULD BE MONITORED BUT SELECTIVELY COVERED
> -------------------------------------------
> US-CERT: Vulnerability Notes [1]
> Symantec: SecurityFocus BugTraq (securityfocus.com/archive/1) [1]
> Symantec: SecurityFocus Bugtraq ID (securityfocus.com/bid) [1]   
> Full Disclosure [1]
> OSVDB [1]                                       
> SecurityTracker [1]                             
> FreeBSD [2]                                    
> NetBSD [2]                                  
> OpenBSD [2]                                    
> Mandriva [2]                                   
> oss-security [3]
> IBM: issues not in IBM ISS X-Force Database [4]
> 
> 
> PRESENT BIG CHALLENGES THAT MERIT DISCUSSION AT A LATER TIME
> ------------------------------------------------------------
> Debian
> Red Hat                                      
> Attachmate: SUSE                                        
> Ubuntu (Linux)                              
> 
> 
> [1] - These sources tend to contain a mixture a both high priority issues and lower priority issues.  It is reasonable to not assign CVE ids for vulnerabilities affecting software with limited distribution and impact. 
> 
> [2] - We believe that these systems are low enough in terms of their market share and distribution that it is reasonable to only assign CVE ids for more critical vulnerabilities from these sources.
> 
> [3] - For the most part, we believe that issues disclosed on this are already disclosed in other sources that we actively monitor.
> 
> [4] - At present, IBM has no centralized distribution source for vulnerability information related to many of its products.  Some IBM products use the ISS X-Force database as their disclosure mechanism, which is listed as fully covered source (for IBM issues only).  
> 
> -Dave
> ==================================================================
> David Mann | Principal Infosec Scientist | The MITRE Corporation
> ------------------------------------------------------------------
> e-mail:damann@mitre.org | cell:781.424.6003
> ==================================================================
> 

==============
Damir Rajnovic <psirt@cisco.com>, PSIRT Incident Manager, Cisco Systems
<http://www.cisco.com/go/psirt>      Telephone: +44 7715 546 033
200 Longwater Avenue, Green Park, Reading, Berkshire RG2 6GB, GB
==============
There are no insolvable problems. 
The question is can you accept the solution? 


Incident Response and Product Security
http://www.ciscopress.com/bookstore/product.asp?isbn=1587052644


- - - -
Cisco.com - http://www.cisco.com/global/UK

This e-mail may contain confidential and privileged material for the sole 
use of the intended recipient. Any review, use, distribution or disclosure by 
others is strictly prohibited. If you are not the intended recipient (or 
authorized to receive for the recipient), please contact the sender by reply 
e-mail and delete all copies of this message.

Cisco Systems Limited (Company Number: 02558939), is registered in England 
and Wales with its registered office at 1 Callaghan Square, Cardiff, 
South Glamorgan CF10 5BT

For corporate legal information go to:
http://www.cisco.com/web/about/doing_business/legal/cri/index.html


 
Page Last Updated: November 06, 2012