[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Providing mappings to vendors: Update




All:

Barring any sudden surprises from our lawyer, it looks like there
won't be much of a problem on MITRE's end to provide each vendor with
their own mapping(s).  However, Dave and I still have to go through
one more piece of red tape, so we can't say we're 100% sure (although
I'd say we're 90% sure).  We should have something concrete by the
middle of next week.

As a heads-up for you to consider:

1) You will be required to sign an NDA to obtain the mappings.
Informally, the wording of the NDA will allow you to use the MITRE
mapping, but will not allow you to redistribute the MITRE mapping or
use it for marketing purposes (e.g. it couldn't be used to say "MITRE
says we check xxx vulnerabilities, for example); *but*, you will be
allowed to use the MITRE mapping as a basis for your own mappings.

2) For the mappings to be most effective, I need to obtain an
up-to-date vulnerability list from you for your tool(s), in the
following format (or as close as possible):

  - a single line per vulnerability (or, multiple line entries
    separated by a carriage return)
  - short text description for the vulnerability (single line "short
    descriptions, or 3-5 lines; worst case, the full description)
  - INCLUDE YOUR OWN ID FOR THE VULNERABILITY.   (Preferably the first
    part of the vulnerability entry, but not required).  This
    requirement is for your benefit - most vulnerability lists I
    used don't have the vendor's vulnerability ID associated with it,
    so you would have had to match up CVE numbers to your text
    descriptions.  Whatever ID you use is fine, as long as it allows
    you to get to the information you need.
  - list references (preferred, not required; this helps narrow the
    search and increases accuracy)

If you would have problems producing a list such as this, please let
me know.


Here are some example entries (a la X-force database, where the first
word in the line is the X-Force vulnerability name):

aix-infod AIX infod vulnerability allows local user to gain root access

bnu-uucpd-bo BNU uucpd contains a buffer overflow which allows a local
user to execute arbitrary commands as root.

smtp-875bo Sendmail 8.7.5 stack BO

...


Vendors, please let me know (a) about how long it would take you to
sign an NDA once you receive it, (b) how long it would take you to
generate the vulnerability lists I identified above, and (c) if you
can't provide us with your updated vulnerability lists without
requiring a formal NDA for MITRE to sign.


Thanks,
- Steve

Page Last Updated or Reviewed: May 22, 2007