[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: Sources: Full and Partial Coverage (CNA increase)
On Fri, 22 Jun 2012, Mann, Dave wrote: : >firstname.lastname@example.org] On Behalf Of Adam Shostack : >I'm not sure which of these approaches would work best. Are there : >other non-product-cetric issues that folks have encountered? Perhaps : >with more samples, we can find a category. : : It bears reiterating that there are (at least) 2 dimensions to this problem: : + What is important to cover : + How do we describe what we will and won't cover + How do we actually cover it if the list is big : We are moving into a time in which we must accept that CVE can no longer : aspire to provide ID coverage for the global software market. I don't recall it coming up during this thread, but perhaps before I joined. Have we discussed the idea of creating more CNAs? As one example, ZDI releases a sizable number of advisories, yet they are not a CNA. Since they typically release in products that will make the list most of you want, and they currently run into communication problems with vendors, they should be a CNA in my eyes. Even if they get a pool of 100 IDs a year, that is all they need. Now, think about a few dozen like that. Not only are they helping CVE, but potentially expanding coverage. Looking to JP-CERT or more non-US bodies that handle vulnerabilities could turn into a great asset to CVE. I know I am an idealist in the land of VDBs often times, but if this hasn't been explored, I think it is worth discussing.