[
Date Prev][
Date Next][
Thread Prev][
Thread Next][
Date Index][
Thread Index]
Update Disclosure Sources List - Please Vote!
Folks,
First, thanks to all who've responded to the request for votes on must-haves and nice to haves regarding vulnerability disclosure sources.
If you haven't weighed in yet, please do so. Having us all (the Editorial Board) in agreement on must-haves vs nice-to-haves will be important before we can talk about harder issues like response time and scalability.
I've compiled the votes to date and have presented them in plain text below (because, yes, I am that old).
BIG NOTE: I was expecting you all to add a *LOT* more different information sources. As Art correctly noted, this list of sources is dated. In particular, when it comes to vendor issued disclosures, it really reflects the traditional bias towards OS level vulnerabilities that speaks of our older history.
I'm frankly surprised that you all aren't suggesting more non-OS vendors that must be monitored.
I would ask that you all think hard about whether or not non-OS vendors should be added, or is it sufficient to monitor non-vendor sources for this class?
-Dave
==================================================================
David Mann | Principal Infosec Scientist | The MITRE Corporation
------------------------------------------------------------------
e-mail:damann@mitre.org | cell:781.424.6003
==================================================================
VULNERABILITY INFORMATION SOURCES [ M, N, I]
M = must have
N = nice to have
I = ignore
Government Information Sources
US-CERT Advisories (aka CERT-CC Advisories) [ 5, 0, 0]
US-CERT Vulnerability Notes (CERT-CC) [ 5, 0, 0]
US-CERT Bulletins (aka Cyber-Notes) [ 4, 1, 0]
DoD IAVAs [ 3, 1, 0]
NISCC [ 1, 3, 0]
AUS-CERT [ 2, 2, 1]
CIAC (name has changed) [ 1, 2, 2]
CNA Published Information
CMU/CERT-CC [ 5, 0, 0]
Microsoft [ 5, 0, 0]
RedHat [ 5, 0, 0]
Debian [ 2, 3, 0]
Apache [ 5, 0, 0]
Apple OSX [ 5, 0, 0]
Oracle [ 5, 0, 0]
Non-CNA Vendor Advisories
Solaris [ 4, 0, 0]
Suse [ 4, 1, 0]
Mandriva [ 4, 0, 1]
HP-UX [ 4, 1, 0]
SCO [ 2, 0, 3]
AIX [ 4, 0, 1]
Cisco IOS [ 5, 0, 0]
Free BSD [ 4, 1, 0]
Open BSD [ 4, 1, 0]
Net BSD [ 4, 0, 1]
Gentoo (Linux) [ 4, 1, 0]
Ubuntu (Linux) [ 4, 1, 0]
Mailing Lists & VDBs
Bugtraq [ 5, 0, 0]
Vuln-Watch [ 0, 0, 4]
VulnDev [ 0, 0, 4]
Full Disclosure [ 2, 3, 1]
Security Focus [ 2, 0, 1]
Security Tracker [ 2, 0, 1]
OSVDB [ 2, 2, 1]
ISS X-Force [ 1, 2, 1]
FRSIRT (VUPEN) [ 1, 3, 1]
Secunia [ 1, 2, 1]
Packet Storm [ 1, 1, 2]
SecuriTeam [ 0, 2, 1]
SANS Mailing List (Qualys) [ 0, 1, 2]
Neohapsis (Security Threat Watch) [ 0, 0, 3]
Metasploit [ 0, 1, 0]
Snort [ 0, 1, 0]
Contagiodump.blogspot.com [ 0, 1, 0]
Oss-security [ 1, 0, 0]