RE: Sources: Full and Partial Coverage (CNA increase)
> -----Original Message-----
> From: firstname.lastname@example.org [mailto:owner-cve-
> email@example.com] On Behalf Of security curmudgeon
> Sent: 22. juni 2012 23:37
> To: Mann, Dave
> Cc: cve-editorial-board-list
> Subject: RE: Sources: Full and Partial Coverage (CNA increase)
> As one example, ZDI releases a sizable number of advisories, yet they are not
> a CNA. Since they typically release in products that will make the list most of
> you want, and they currently run into communication problems with
> vendors, they should be a CNA in my eyes. Even if they get a pool of
> 100 IDs a year, that is all they need.
> Now, think about a few dozen like that. Not only are they helping CVE, but
> potentially expanding coverage. Looking to JP-CERT or more non-US bodies
> that handle vulnerabilities could turn into a great asset to CVE.
> I know I am an idealist in the land of VDBs often times, but if this hasn't been
> explored, I think it is worth discussing.
I fully agree that getting more properly educated CNAs is the way to go - especially focusing on those primary sources that provide a large number of advisories like major software vendors (already seem pretty well covered) and vulnerability coordination houses like the mentioned ZDI, iDefense VCP (though I'm not sure how "alive" it is anymore), and Exodus Intelligence EIP, which was just started by a number of "ZDI defectors" as they're being referred to.
Secunia is already a CNA to specifically assign CVE identifiers to internally discovered vulnerabilities as well as the ones coordinated via our SVCRP program.
If major vendors as well as the Top3/Top5 vulnerability coordination houses are CNAs then we would "automatically" get a solid coverage for at lot of the most interesting sources/products.
Med venlig hilsen / Kind regards
Carsten H. Eiram
Chief Security Specialist
Follow us on twitter
Rued Langgaards Vej 8
2300 Copenhagen S
Phone +45 7020 5144
Fax +45 7020 5145