[ Date Prev ][ Date Next ][ Thread Prev ][ Thread Next ][ Date Index ][ Thread Index ]

RE: Update Disclosure Sources List - Please Vote!

To : "Williams, James K" < James.Williams@ca.com >
Subject : RE: Update Disclosure Sources List - Please Vote!
From : "Steven M. Christey" < coley@rcf-smtp.mitre.org >
Date : Mon, 17 Oct 2011 23:10:18 -0400
CC : "Mann, Dave" < damann@mitre.org >, cve-editorial-board-list< cve-editorial-board-list@LISTS.MITRE.ORG >
Delivery-Date : Mon Oct 17 23:10:45 2011
In-Reply-To : < ED311CBEE6993C428563DEDF6D083BC801D9CE@usilms113b.ca.com >
List-Help : < mailto:LISTSERV@LISTS.MITRE.ORG?body=INFO%20CVE-EDITORIAL-BOARD-LIST >
List-Owner : < mailto:CVE-EDITORIAL-BOARD-LIST-request@LISTS.MITRE.ORG >
List-Subscribe : < mailto:CVE-EDITORIAL-BOARD-LIST-subscribe-request@LISTS.MITRE.ORG >
List-Unsubscribe : < mailto:CVE-EDITORIAL-BOARD-LIST-unsubscribe-request@LISTS.MITRE.ORG >
References : < 3FF9F74E63A7484EB3B88F04329CBEDC0444812B45@IMCMBX1.MITRE.ORG > < ED311CBEE6993C428563DEDF6D083BC801D9CE@usilms113b.ca.com >
Sender : < owner-cve-editorial-board-list@LISTS.MITRE.ORG >

On Wed, 5 Oct 2011, Williams, James K wrote:

> http://www.webappsec.org/lists/websecurity/archive/
> Notes: mostly noise, but rare vuln disclosures do occur

In these cases, it may be more reasonable to depend on "inheriting"
coverage from the other vuln DBs.

> http://www.linuxsecurity.com/
> Notes: Central resource for major linux vendors, but would be better to
> monitor vendor directly

I agree with that.

> http://www.immunityinc.com/ceu-index.shtml
> Notes: Regularly post fresh or zero day exploit info, but must have
> subscription

These then are "not public" and outside scope.  Several years ago, we went
through a phase where we tried to cover paid exploit packs e.g. from
Evgeny or CANVAS, but there is so little public information that the risk
of dupes seemed too high.

> http://aluigi.altervista.org/
> Notes: very prolific vuln researcher, worth monitoring directly due to
> volume

Luigi is getting extra attention these days because of his SCADA exploits.

> http://www.coresecurity.com/content/core-impact-pro-security-updates
> Notes: Occasionally post fresh or zero day exploit info, but must have
> subscription

CORE is one of a relatively small number of researcher CNAs (including
Secunia) for their own advisories, so they should be "must have".

- Steve

References :
- Update Disclosure Sources List - Please Vote!
  - From: "Mann, Dave" <damann@mitre.org>
- RE: Update Disclosure Sources List - Please Vote!
  - From: "Williams, James K" <James.Williams@ca.com>

Prev by Date: Re: Update Disclosure Sources List - Please Vote!
Next by Date: Re: CVE Information Sources & Scope
Prev by thread: RE: Update Disclosure Sources List - Please Vote!
Next by thread: Re: Update Disclosure Sources List - Please Vote!
Index(es):
- Date
- Thread