Folks,
Three comments...
1) Our language has moved from "must have/nice to have" to "fully covered/partially covered".
2) In our current discussion, we are only considering sources that you all identified as "must haves" in our prior discussion. The list that I posted last Friday broke your previous "must haves" into 2 sub-groups: sources that the CVE team agrees should be "fully covered" and sources that the CVE team believes should be demoted to "partially covered status".
THE PRIMARY QUESTIONS WE'RE SEEKING GUIDANCE ON ARE:
A) SHOULD ANY OF OUR SUGGESTED PARTIALLY COVERED SOURCES BE PROMOTED BACK TO FULLY COVERED STATUS?
B) ARE THERE ANY OTHER SOURCES YOU BELIEVE SHOULD BE FULLY COVERED?
3) As you consider these questions, please bear in mind that we have a very long list of sources previously designated as "nice to have". We would ask that you hold your suggestions for other partially covered sources (aka nice to have) source for later when we consider the full list of partially covered sources (in addition to those we suggest demoting).
Here are the lists again, along with a list of sources that have been nominated as needing to be fully covered. We would like more discussion on the fully covered sets. Note, we may not be able to cover all of the sources being nominated as full coverage, so please consider and defend your nominations in that light.
SHOULD BE FULLY COVERED
-----------------------
US-CERT: Technical Cyber Security Alerts
RealNetworks (real.com)
Apple
EMC, as published through Bugtraq
VMware
Google: Google Chrome (includes WebKit)
IBM: issues in IBM ISS X-Force Database
Internet Systems Consortium (ISC)
MIT Kerberos
Adobe
Apache Software Foundation: Apache HTTP Server
Cisco: Security Advisories/Responses
HP: Security Bulletins
Microsoft: Security Bulletins/Advisories
Mozilla
Oracle
SHOULD BE MONITORED BUT SELECTIVELY COVERED (being demoted)
-------------------------------------------
US-CERT: Vulnerability Notes [1]
Symantec: SecurityFocus BugTraq (securityfocus.com/archive/1) [1]
Symantec: SecurityFocus Bugtraq ID (securityfocus.com/bid) [1]
Full Disclosure [1]
OSVDB [1]
SecurityTracker [1]
FreeBSD [2]
NetBSD [2]
OpenBSD [2]
Mandriva [2]
oss-security [3]
IBM: issues not in IBM ISS X-Force Database [4]
PRESENT BIG CHALLENGES THAT MERIT DISCUSSION AT A LATER TIME
------------------------------------------------------------
Debian
Red Hat
Attachmate: SUSE
Ubuntu (Linux)
Requests for Additional Fully-Covered Sources
----------------------------------------------
Juniper - JTAC Technical Bulletins
Citrix / Xen
ASF: Apache Tomcat
Samba Security Updates and Information
PHP
FoxIt Support Center - Security Advisories
Symantec Security (Not BIDs but actual Symantec Advisories)
McAfee Security
Exploit Database (for entries containing exploit code)
-Dave
==================================================================
David Mann | Principal Infosec Scientist | The MITRE Corporation
------------------------------------------------------------------
==================================================================