Re: Sources: Full and Partial Coverage (CNA increase)
On 6/25/12 11:38 AM, Mann, Dave wrote:
> We haven't talked about increasing the number of CNAs yet, but that is definitely coming.
> Increasing CNAs is a part of the "how" we cover what we cover discussion, as is quality of descriptions and minimum requirements.
> First we need to get through the "what" we're going to cover part.
OK, I'm trying to reconcile the products and sources approaches, and I
don't think it matters much, unless we're already at the point of trying
to distribute CNA coverage.
What should CVE cover? CVE should cover vulnerabilities. I'd like CVE
to cover, if not all, then the most important vulnerabilities. "Most
important" gets a bit tricky, but one aspect should be the scope of the
vulnerability -- the number of people affected, possibly within a
constituency. A vulnerability affects one or more products, and we care
about products because they are used by or affect (service) many (or
phpGolf? Affects few, don't include. (*)
Microsoft XML Core Services? Affects many, include.
Other "importance" factors are the usual things like impact, ease of
exploitation, related incident activity, ease of access, etc. CVSS-like
stuff. I don't necessarily recommend this, but CVE should include all
vulnerabilities with a CVSS environmental score of X or higher (with
environment == the internet).
*) I'd still like to be able to talk about this vulnerability, so give
it an ID and a URL to the report. If it turns out to be false or a
duplicate, mark it accordingly. Let me decide if I care about phpGolf
or not. We're assuming (and are probably correct) that most people
don't care (or maybe that only few people use phpGolf), so it isn't
worth the effort to create a CVE entry.
But... CVE includes vulnerabilities. Products are a vulnerability criteria.
I think the task to define what to include in CVE should be developing
language that defines an "important vulnerability."
1. What? CVE should include "important" vulnerabilities.
Vulnerabilities that allow remote root, that affect > 10 people, that
are being exploited, that have UI's in Spanish, etc.
2. How? CVE can draft a list of sources it monitors, and/or a list of
products covered (by criteria defined in #1), and/or a list of CNAs
responsible for public vul disclosure market segments (ICS-CERT,
CN-CERT, etc), and definitions of those segments. There's discussion
about products or sources-based criteria, I don't think it matters, we
can have lists of both, as long as they are in service to #1.
Perhaps we jumped straight to #2, since we all know CVE is about
vulnerabilities, and Dave is after the list of sources?
PS, can/should we convene the board (or enough of it) in person? Via
WebEx or equivalent?