RE: Sources: Full and Partial Coverage (CNA increase)

To: "Mann, Dave" <damann@mitre.org>
Subject: RE: Sources: Full and Partial Coverage (CNA increase)
From: security curmudgeon <jericho@attrition.org>
Date: Fri, 22 Jun 2012 16:37:28 -0500
CC: cve-editorial-board-list <cve-editorial-board-list@LISTS.MITRE.ORG>
Delivery-Date: Fri Jun 22 17:39:02 2012
In-Reply-To: <2F43C4D2BE8AD24C8AC17D8C64B379B3012C0CD1@IMCMBX01.MITRE.ORG>
List-Help: <mailto:LISTSERV@LISTS.MITRE.ORG?body=INFO%20CVE-EDITORIAL-BOARD-LIST>
List-Owner: <mailto:CVE-EDITORIAL-BOARD-LIST-request@LISTS.MITRE.ORG>
List-Subscribe: <mailto:CVE-EDITORIAL-BOARD-LIST-subscribe-request@LISTS.MITRE.ORG>
List-Unsubscribe: <mailto:CVE-EDITORIAL-BOARD-LIST-unsubscribe-request@LISTS.MITRE.ORG>
References: <2F43C4D2BE8AD24C8AC17D8C64B379B316E94C@IMCMBX01.MITRE.ORG> <CBD696D8.32CFA%kent_landfield@mcafee.com> <2F43C4D2BE8AD24C8AC17D8C64B379B3172CB9@IMCMBX01.MITRE.ORG> <D7A0423E5E193F40BE6E94126930C4930B994ABB80@MBCLUSTER.xchange.nist.gov> <20120518104737.GT9865@MacGaus.cisco.com> <alpine.LNX.2.00.1205181251230.11561@forced.attrition.org> <20120521133539.GD9865@MacGaus.cisco.com> <20120611160702.GC29160@homeport.org> <20120612103815.GK576@MacGaus.cisco.com> <4FD749AF.7010709@cert.org> <20120612155744.GB10516@homeport.org> <2F43C4D2BE8AD24C8AC17D8C64B379B3012C0CD1@IMCMBX01.MITRE.ORG>
Sender: <owner-cve-editorial-board-list@LISTS.MITRE.ORG>
User-Agent: Alpine 2.00 (LNX 1167 2008-08-23)

On Fri, 22 Jun 2012, Mann, Dave wrote:

: >editorial-board-list@lists.mitre.org] On Behalf Of Adam Shostack
: >I'm not sure which of these approaches would work best.  Are there
: >other non-product-cetric issues that folks have encountered?  Perhaps
: >with more samples, we can find a category.
: 
: It bears reiterating that there are (at least) 2 dimensions to this problem:
: + What is important to cover
: + How do we describe what we will and won't cover

+ How do we actually cover it if the list is big

: We are moving into a time in which we must accept that CVE can no longer 
: aspire to provide ID coverage for the global software market.

I don't recall it coming up during this thread, but perhaps before I 
joined. Have we discussed the idea of creating more CNAs? 

As one example, ZDI releases a sizable number of advisories, yet they are 
not a CNA. Since they typically release in products that will make the 
list most of you want, and they currently run into communication problems 
with vendors, they should be a CNA in my eyes. Even if they get a pool of 
100 IDs a year, that is all they need.

Now, think about a few dozen like that. Not only are they helping CVE, but 
potentially expanding coverage. Looking to JP-CERT or more non-US bodies 
that handle vulnerabilities could turn into a great asset to CVE.

I know I am an idealist in the land of VDBs often times, but if this 
hasn't been explored, I think it is worth discussing.

Follow-Ups:
- RE: Sources: Full and Partial Coverage (CNA increase)
  - From: Carsten Eiram <che@secunia.com>

References:
- Re: Sources: Full and Partial Coverage
  - From: Adam Shostack <adam@homeport.org>
- Re: Sources: Full and Partial Coverage
  - From: Damir Rajnovic <gaus@cisco.com>
- Re: Sources: Full and Partial Coverage
  - From: Art Manion <amanion@cert.org>
- Re: Sources: Full and Partial Coverage
  - From: Adam Shostack <adam@homeport.org>
- RE: Sources: Full and Partial Coverage
  - From: "Mann, Dave" <damann@mitre.org>

Prev by Date: RE: Sources: Full and Partial Coverage
Next by Date: RE: Sources: Full and Partial Coverage (CNA increase)
Prev by thread: RE: Sources: Full and Partial Coverage
Next by thread: RE: Sources: Full and Partial Coverage (CNA increase)
Index(es):
- Date
- Thread

Page Last Updated: November 06, 2012

Common Vulnerabilities and Exposures

RE: Sources: Full and Partial Coverage (CNA increase)