Re: Sources: Full and Partial Coverage
On Tue, Jun 12, 2012 at 09:52:47AM -0400, Art Manion wrote:
| On 2012-06-12 06:38 , Damir Rajnovic wrote:
| > This is interesting situation you are describing. Here is how I see a potential
| > scenario being played out. We select to cover products and SHINY is one of
| > them. To get vulnerabilities in SHINY we select Contagio as the source.
| > Things are working fine but Contagio is also providing information about
| > other products that are not on our list. The question is what to do with
| > this extra information? Is this what you are trying to illustrate?
| My read of this is that vulnerabilities included in exploit kits warrant
| CVE IDs.
| Again, we're doing a bit of a jump from "criteria for vulnerabilities to
| be included in CVE" to "sources that generally meet the criteria." But
| this one is pretty effective IMO.
| criteria: product SHINY
| source: vendor security page for SHINY
| criteria: things that are getting exploited
| source: Contagio, exploit db
| criteria: things that affect lots of users
| source: bugtraq? (which also contains things that don't meet this criteria)
| There aren't always going to be sources that directly map to criteria.
| So I think it's good for CVE to have criteria, and a list of sources.
| CVE is going to have to do some of the drudge work filtering through
| bugtraq/full-disclosure for things that meet the criteria (at least some
| of this can be computer-assisted).
I'm not sure which of these approaches would work best. Are there
other non-product-cetric issues that folks have encountered? Perhaps
with more samples, we can find a category.