RE: Sources: Full and Partial Coverage (CNA increase)

[security curmudgeon <jericho@attrition.org>]

On Fri, 22 Jun 2012, Mann, Dave wrote:

: >editorial-board-list@lists.mitre.org] On Behalf Of Adam Shostack
: >I'm not sure which of these approaches would work best.  Are there
: >other non-product-cetric issues that folks have encountered?  Perhaps
: >with more samples, we can find a category.
: 
: It bears reiterating that there are (at least) 2 dimensions to this problem:
: + What is important to cover
: + How do we describe what we will and won't cover

+ How do we actually cover it if the list is big

: We are moving into a time in which we must accept that CVE can no longer 
: aspire to provide ID coverage for the global software market.

I don't recall it coming up during this thread, but perhaps before I 
joined. Have we discussed the idea of creating more CNAs? 

As one example, ZDI releases a sizable number of advisories, yet they are 
not a CNA. Since they typically release in products that will make the 
list most of you want, and they currently run into communication problems 
with vendors, they should be a CNA in my eyes. Even if they get a pool of 
100 IDs a year, that is all they need.

Now, think about a few dozen like that. Not only are they helping CVE, but 
potentially expanding coverage. Looking to JP-CERT or more non-US bodies 
that handle vulnerabilities could turn into a great asset to CVE.

I know I am an idealist in the land of VDBs often times, but if this 
hasn't been explored, I think it is worth discussing.