[
Date Prev][
Date Next][
Thread Prev][
Thread Next][
Date Index][
Thread Index]
CVE Must-Have Coverage
Folks,
Below, please find a somewhat stabilizing set of vulnerability sources.
I've tried to capture the best consensus (not pure votes but close).
Please review the list and holler loudly and quickly if you see something you can't live with. This is a living document so nothing is cast in stone. Still gaining a level of agreement on the scope is a necessary first step.
I'm particularly concerned at the almost complete lack of desktop or enterprise software packages being called out by vendor.
Some are listed but by no means the majority. The implication to me is that we're very much relying on non-vendor sources to shed light on these types of software.
-Dave
==================================================================
David Mann | Principal Infosec Scientist | The MITRE Corporation
------------------------------------------------------------------
e-mail:damann@mitre.org | cell:781.424.6003
==================================================================
CVE VULNERABILITY INFORMATION SOURCES - PRIORITY
Government & Related Information Sources
Must Have
US-CERT Advisories (aka CERT-CC Advisories)
US-CERT Vulnerability Notes (CERT-CC)
US-CERT Bulletins (aka Cyber-Notes)
CMU/CERT-CC
DoD IAVAs
Nice To Have
NISCC
AUS-CERT
DOE CIRC (formerly CIAC)
Vendor Published Information
Must Have
Microsoft
RedHat
Apache
Apple OSX
Oracle
Solaris
Suse
Mandriva
HP-UX
AIX
Cisco IOS
Free BSD
Open BSD
Net BSD
Gentoo (Linux)
Ubuntu (Linux)
Adobe
Mozilla
Google Chrome
Nice To Have
Debian
SCO
Cisco
Mailing Lists & VDBs
Must Have
Bugtraq
Full Disclosure
Security Focus
Security Tracker
OSVDB
Oss-security
Nice To Have
ISS X-Force
FRSIRT (VUPEN)
Secunia
SecuriTeam
Metasploit
Snort
Contagiodump.blogspot.com
Ignore
Vuln-Watch
VulnDev
Packet Storm
SANS Mailing List (Qualys) ]
Neohapsis (Security Threat Watch)