[ Date Prev ][ Date Next ][ Thread Prev ][ Thread Next ][ Date Index ][ Thread Index ]

CVE Must-Have Coverage

To : cve-editorial-board-list < cve-editorial-board-list@LISTS.MITRE.ORG >
Subject : CVE Must-Have Coverage
From : "Mann, Dave" < damann@mitre.org >
Date : Tue, 11 Oct 2011 16:03:49 -0400
Accept-Language : en-US
acceptlanguage : en-US
Delivery-Date : Tue Oct 11 16:04:08 2011
List-Help : < mailto:LISTSERV@LISTS.MITRE.ORG?body=INFO%20CVE-EDITORIAL-BOARD-LIST >
List-Owner : < mailto:CVE-EDITORIAL-BOARD-LIST-request@LISTS.MITRE.ORG >
List-Subscribe : < mailto:CVE-EDITORIAL-BOARD-LIST-subscribe-request@LISTS.MITRE.ORG >
List-Unsubscribe : < mailto:CVE-EDITORIAL-BOARD-LIST-unsubscribe-request@LISTS.MITRE.ORG >
Sender : < owner-cve-editorial-board-list@LISTS.MITRE.ORG >
Thread-Index : AcyIUFmWqHoIl6VxTqa9f6NnBhoc1g==
Thread-Topic : CVE Must-Have Coverage

Folks,

Below, please find a somewhat stabilizing set of vulnerability sources.

I've tried to capture the best consensus (not pure votes but close).

Please review the list and holler loudly and quickly if you see something you can't live with.   This is a living document so nothing is cast in stone.  Still gaining a level of agreement on the scope is a necessary first step.

I'm particularly concerned at the almost complete lack of desktop or enterprise software packages being called out by vendor.

Some are listed but by no means the majority.  The implication to me is that we're very much relying on non-vendor sources to shed light on these types of software.


-Dave
==================================================================
David Mann | Principal Infosec Scientist | The MITRE Corporation
------------------------------------------------------------------
e-mail:damann@mitre.org | cell:781.424.6003
==================================================================

CVE VULNERABILITY INFORMATION SOURCES - PRIORITY


Government & Related Information Sources
  Must Have
    US-CERT Advisories (aka CERT-CC Advisories)
    US-CERT Vulnerability Notes (CERT-CC)
    US-CERT Bulletins (aka Cyber-Notes)
    CMU/CERT-CC
    DoD IAVAs
  Nice To Have
    NISCC
    AUS-CERT
    DOE CIRC (formerly CIAC)


Vendor Published Information
  Must Have
    Microsoft
    RedHat
    Apache
    Apple OSX
    Oracle
    Solaris
    Suse
    Mandriva
    HP-UX
    AIX
    Cisco IOS
    Free BSD
    Open BSD
    Net BSD
    Gentoo (Linux)
    Ubuntu (Linux)
    Adobe
    Mozilla
    Google Chrome
  Nice To Have
    Debian
    SCO
    Cisco


Mailing Lists & VDBs
  Must Have
    Bugtraq
    Full Disclosure
    Security Focus
    Security Tracker
    OSVDB
    Oss-security
  Nice To Have
    ISS X-Force
    FRSIRT  (VUPEN)
    Secunia
    SecuriTeam
    Metasploit
    Snort
    Contagiodump.blogspot.com
  Ignore
    Vuln-Watch
    VulnDev
    Packet Storm
    SANS Mailing List (Qualys)                  ]
    Neohapsis (Security Threat Watch)

Follow-Ups :
- RE: CVE Must-Have Coverage
  - From: Mike Prosser <mprosser@symantec.com>
- Re: CVE Must-Have Coverage
  - From: Andrew Balinsky <balinsky@cisco.com>
- Re: CVE Must-Have Coverage
  - From: "Steven M. Christey" <coley@rcf-smtp.mitre.org>
- Re: CVE Must-Have Coverage
  - From: "Steven M. Christey" <coley@rcf-smtp.mitre.org>

Prev by Date: RE: Update Disclosure Sources List - Please Vote!
Next by Date: CVE Response Time
Prev by thread: RE: Update Disclosure Sources List - Please Vote!
Next by thread: RE: CVE Must-Have Coverage
Index(es):
- Date
- Thread