[ Date Prev ][ Date Next ][ Thread Prev ][ Thread Next ][ Date Index ][ Thread Index ]

RE: Sources: Full and Partial Coverage (CNA increase)

To : "Mann, Dave" < damann@mitre.org >
Subject : RE: Sources: Full and Partial Coverage (CNA increase)
From : security curmudgeon < jericho@attrition.org >
Date : Fri, 22 Jun 2012 16:37:28 -0500
CC : cve-editorial-board-list < cve-editorial-board-list@LISTS.MITRE.ORG >
Delivery-Date : Fri Jun 22 17:39:02 2012
In-Reply-To : < 2F43C4D2BE8AD24C8AC17D8C64B379B3012C0CD1@IMCMBX01.MITRE.ORG >
List-Help : < mailto:LISTSERV@LISTS.MITRE.ORG?body=INFO%20CVE-EDITORIAL-BOARD-LIST >
List-Owner : < mailto:CVE-EDITORIAL-BOARD-LIST-request@LISTS.MITRE.ORG >
List-Subscribe : < mailto:CVE-EDITORIAL-BOARD-LIST-subscribe-request@LISTS.MITRE.ORG >
List-Unsubscribe : < mailto:CVE-EDITORIAL-BOARD-LIST-unsubscribe-request@LISTS.MITRE.ORG >
References : <2F43C4D2BE8AD24C8AC17D8C64B379B316E94C@IMCMBX01.MITRE.ORG> <CBD696D8.32CFA%kent_landfield@mcafee.com> <2F43C4D2BE8AD24C8AC17D8C64B379B3172CB9@IMCMBX01.MITRE.ORG> <D7A0423E5E193F40BE6E94126930C4930B994ABB80@MBCLUSTER.xchange.nist.gov> <20120518104737.GT9865@MacGaus.cisco.com> <alpine.LNX.2.00.1205181251230.11561@forced.attrition.org> <20120521133539.GD9865@MacGaus.cisco.com> < 20120611160702.GC29160@homeport.org > < 20120612103815.GK576@MacGaus.cisco.com > < 4FD749AF.7010709@cert.org > < 20120612155744.GB10516@homeport.org > < 2F43C4D2BE8AD24C8AC17D8C64B379B3012C0CD1@IMCMBX01.MITRE.ORG >
Sender : < owner-cve-editorial-board-list@LISTS.MITRE.ORG >
User-Agent : Alpine 2.00 (LNX 1167 2008-08-23)

On Fri, 22 Jun 2012, Mann, Dave wrote:

: >editorial-board-list@lists.mitre.org] On Behalf Of Adam Shostack
: >I'm not sure which of these approaches would work best.  Are there
: >other non-product-cetric issues that folks have encountered?  Perhaps
: >with more samples, we can find a category.
:
: It bears reiterating that there are (at least) 2 dimensions to this problem:
: + What is important to cover
: + How do we describe what we will and won't cover

+ How do we actually cover it if the list is big

: We are moving into a time in which we must accept that CVE can no longer
: aspire to provide ID coverage for the global software market.

I don't recall it coming up during this thread, but perhaps before I
joined. Have we discussed the idea of creating more CNAs?

As one example, ZDI releases a sizable number of advisories, yet they are
not a CNA. Since they typically release in products that will make the
list most of you want, and they currently run into communication problems
with vendors, they should be a CNA in my eyes. Even if they get a pool of
100 IDs a year, that is all they need.

Now, think about a few dozen like that. Not only are they helping CVE, but
potentially expanding coverage. Looking to JP-CERT or more non-US bodies
that handle vulnerabilities could turn into a great asset to CVE.

I know I am an idealist in the land of VDBs often times, but if this
hasn't been explored, I think it is worth discussing.

Follow-Ups :
- RE: Sources: Full and Partial Coverage (CNA increase)
  - From: Carsten Eiram <che@secunia.com>

References :
- Re: Sources: Full and Partial Coverage
  - From: Adam Shostack <adam@homeport.org>
- Re: Sources: Full and Partial Coverage
  - From: Damir Rajnovic <gaus@cisco.com>
- Re: Sources: Full and Partial Coverage
  - From: Art Manion <amanion@cert.org>
- Re: Sources: Full and Partial Coverage
  - From: Adam Shostack <adam@homeport.org>
- RE: Sources: Full and Partial Coverage
  - From: "Mann, Dave" <damann@mitre.org>

Prev by Date: RE: Sources: Full and Partial Coverage
Next by Date: RE: Sources: Full and Partial Coverage (CNA increase)
Prev by thread: RE: Sources: Full and Partial Coverage
Next by thread: RE: Sources: Full and Partial Coverage (CNA increase)
Index(es):
- Date
- Thread