Re: Sources: Full and Partial Coverage

To: Art Manion <amanion@cert.org>
Subject: Re: Sources: Full and Partial Coverage
From: Adam Shostack <adam@homeport.org>
Date: Tue, 12 Jun 2012 11:57:44 -0400
CC: Gaus <gaus@cisco.com>, security curmudgeon <jericho@attrition.org>, cve-editorial-board-list <cve-editorial-board-list@LISTS.MITRE.ORG>
Delivery-Date: Tue Jun 12 11:59:13 2012
In-Reply-To: <4FD749AF.7010709@cert.org>
List-Help: <mailto:LISTSERV@LISTS.MITRE.ORG?body=INFO%20CVE-EDITORIAL-BOARD-LIST>
List-Owner: <mailto:CVE-EDITORIAL-BOARD-LIST-request@LISTS.MITRE.ORG>
List-Subscribe: <mailto:CVE-EDITORIAL-BOARD-LIST-subscribe-request@LISTS.MITRE.ORG>
List-Unsubscribe: <mailto:CVE-EDITORIAL-BOARD-LIST-unsubscribe-request@LISTS.MITRE.ORG>
References: <2F43C4D2BE8AD24C8AC17D8C64B379B316E94C@IMCMBX01.MITRE.ORG> <CBD696D8.32CFA%kent_landfield@mcafee.com> <2F43C4D2BE8AD24C8AC17D8C64B379B3172CB9@IMCMBX01.MITRE.ORG> <D7A0423E5E193F40BE6E94126930C4930B994ABB80@MBCLUSTER.xchange.nist.gov> <20120518104737.GT9865@MacGaus.cisco.com> <alpine.LNX.2.00.1205181251230.11561@forced.attrition.org> <20120521133539.GD9865@MacGaus.cisco.com> <20120611160702.GC29160@homeport.org> <20120612103815.GK576@MacGaus.cisco.com> <4FD749AF.7010709@cert.org>
Sender: <owner-cve-editorial-board-list@LISTS.MITRE.ORG>
User-Agent: Mutt/1.5.13 (2006-08-11)

On Tue, Jun 12, 2012 at 09:52:47AM -0400, Art Manion wrote:
| On 2012-06-12 06:38 , Damir Rajnovic wrote:
| 
| > This is interesting situation you are describing. Here is how I see a potential
| > scenario being played out. We select to cover products and SHINY is one of
| > them. To get vulnerabilities in SHINY we select Contagio as the source.
| > Things are working fine but Contagio is also providing information about
| > other products that are not on our list. The question is what to do with
| > this extra information? Is this what you are trying to illustrate?
| 
| My read of this is that vulnerabilities included in exploit kits warrant
| CVE IDs.
| 
| Again, we're doing a bit of a jump from "criteria for vulnerabilities to
| be included in CVE" to "sources that generally meet the criteria."  But
| this one is pretty effective IMO.
|
| criteria: product SHINY
| source: vendor security page for SHINY
| 
| criteria: things that are getting exploited
| source: Contagio, exploit db
|
| criteria: things that affect lots of users
| source: bugtraq? (which also contains things that don't meet this criteria)
| 
| There aren't always going to be sources that directly map to criteria.
| So I think it's good for CVE to have criteria, and a list of sources.
| CVE is going to have to do some of the drudge work filtering through
| bugtraq/full-disclosure for things that meet the criteria (at least some
| of this can be computer-assisted).

I'm not sure which of these approaches would work best.  Are there
other non-product-cetric issues that folks have encountered?  Perhaps
with more samples, we can find a category.

Adam

Follow-Ups:
- RE: Sources: Full and Partial Coverage
  - From: "Mann, Dave" <damann@mitre.org>

References:
- Re: Sources: Full and Partial Coverage
  - From: Adam Shostack <adam@homeport.org>
- Re: Sources: Full and Partial Coverage
  - From: Damir Rajnovic <gaus@cisco.com>
- Re: Sources: Full and Partial Coverage
  - From: Art Manion <amanion@cert.org>

Prev by Date: Re: Sources: Full and Partial Coverage
Next by Date: Re: Sources: Full and Partial Coverage
Prev by thread: Re: Sources: Full and Partial Coverage
Next by thread: RE: Sources: Full and Partial Coverage
Index(es):
- Date
- Thread

Page Last Updated: November 06, 2012

Common Vulnerabilities and Exposures

Re: Sources: Full and Partial Coverage