Re: Sources: Full and Partial Coverage

[Art Manion <amanion@cert.org>]

On 5/17/12 4:57 PM, security curmudgeon wrote:
> On Thu, 17 May 2012, Booth, Harold wrote:
> 
> : > However, if you say "CVE, monitor ProductX", and due to an incomplete list of sources
> : > being monitored, they end up issuing an ID for only 70% of the vulnerabilities disclosed
> : > in ProductX, has that met your need?
> : 
> : No, it has not. But then CVE and everyone else will know that, since the 
> : goal has been defined in terms of "monitor ProductX". Changes to process 
> : and tools will be made to get the number closer to 100%. If the goal is 
> : defined as "monitor sources X, Y and Z" which result in an ID for 70% of 
> : the vulnerabilities disclosed for ProductX there is likely no explicit 
> : step in the process to improve coverage of ProductX. "What gets 
> : measured, gets done," and I believe measuring in terms of products 
> : instead of sources will lead to more desirable results.
> 
> That is a good point, but not sure if either of us can justify our 
> positions short of "CVE would have to try it" =)
> 
> In my mind, if you monitor the right sources, you approach 100% for more 
> products in a repeatable fashion, than if you try to go off a list of 
> products first.

I'm being a bit of a jerk on purpose, but I have a gmail account that is
subscribed to a bunch of vul mailing lists and feeds.  CVE should
monitor that list, and only that list.

The owner or users of a source (whomever can post content) decide what
products are covered.

Talking about sources is a reasonable (and practical) proxy for talking
about products.  But in strict requirements terms, coverage should be
about products, or types of vulnerabilities, or languages.


 - Art