[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Update Disclosure Sources List - Please Vote!



Folks,

First, thanks to all who've responded to the request for votes on must-haves and nice to haves regarding vulnerability disclosure sources.

If you haven't weighed in yet, please do so.  Having us all (the Editorial Board) in agreement on must-haves vs nice-to-haves will be important before we can talk about harder issues like response time and scalability.

I've compiled the votes to date and have presented them in plain text below (because, yes, I am that old).

BIG NOTE:  I was expecting you all to add a *LOT* more different information sources.  As Art correctly noted, this list of sources is dated.  In particular, when it comes to vendor issued disclosures, it really reflects the traditional bias towards OS level vulnerabilities that speaks of our older history.

I'm frankly surprised that you all aren't suggesting more non-OS vendors that must be monitored.    

I would ask that you all think hard about whether or not non-OS vendors should be added, or is it sufficient to monitor non-vendor sources for this class?


-Dave
==================================================================
David Mann | Principal Infosec Scientist | The MITRE Corporation
------------------------------------------------------------------
e-mail:damann@mitre.org | cell:781.424.6003
==================================================================


VULNERABILITY INFORMATION SOURCES             [ M,  N,  I]
  M = must have
  N = nice to have
  I = ignore


Government Information Sources
  US-CERT Advisories (aka CERT-CC Advisories) [ 5,  0,  0] 
  US-CERT Vulnerability Notes (CERT-CC)       [ 5,  0,  0]
  US-CERT Bulletins (aka Cyber-Notes)         [ 4,  1,  0]
  DoD IAVAs                                   [ 3,  1,  0]
  NISCC                                       [ 1,  3,  0]
  AUS-CERT                                    [ 2,  2,  1]
  CIAC (name has changed)                     [ 1,  2,  2]


CNA Published Information
  CMU/CERT-CC                                 [ 5,  0,  0]
  Microsoft                                   [ 5,  0,  0]
  RedHat                                      [ 5,  0,  0]
  Debian                                      [ 2,  3,  0]
  Apache                                      [ 5,  0,  0]
  Apple OSX                                   [ 5,  0,  0]
  Oracle                                      [ 5,  0,  0]

  
Non-CNA Vendor Advisories
  Solaris                                     [ 4,  0,  0]
  Suse                                        [ 4,  1,  0]
  Mandriva                                    [ 4,  0,  1]
  HP-UX                                       [ 4,  1,  0]
  SCO                                         [ 2,  0,  3]
  AIX                                         [ 4,  0,  1]
  Cisco IOS                                   [ 5,  0,  0]
  Free BSD                                    [ 4,  1,  0]
  Open BSD                                    [ 4,  1,  0]
  Net BSD                                     [ 4,  0,  1]
  Gentoo (Linux)                              [ 4,  1,  0]
  Ubuntu (Linux)                              [ 4,  1,  0]



Mailing Lists & VDBs
  Bugtraq                                     [ 5,  0,  0]
  Vuln-Watch                                  [ 0,  0,  4]
  VulnDev                                     [ 0,  0,  4]
  Full Disclosure                             [ 2,  3,  1]
  Security Focus                              [ 2,  0,  1]
  Security Tracker                            [ 2,  0,  1]
  OSVDB                                       [ 2,  2,  1]
  ISS X-Force                                 [ 1,  2,  1]
  FRSIRT  (VUPEN)                             [ 1,  3,  1]
  Secunia                                     [ 1,  2,  1]
  Packet Storm                                [ 1,  1,  2]
  SecuriTeam                                  [ 0,  2,  1]
  SANS Mailing List (Qualys)                  [ 0,  1,  2]
  Neohapsis (Security Threat Watch)           [ 0,  0,  3]
  Metasploit                                  [ 0,  1,  0]
  Snort                                       [ 0,  1,  0]
  Contagiodump.blogspot.com                   [ 0,  1,  0]
  Oss-security                                [ 1,  0,  0]



Page Last Updated or Reviewed: November 06, 2012