|
|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Sources: Full and Partial Coverage (CNA increase)
- To: Carsten Eiram <che@secunia.com>
- Subject: Re: Sources: Full and Partial Coverage (CNA increase)
- From: Art Manion <amanion@cert.org>
- Date: Mon, 25 Jun 2012 14:04:13 -0400
- CC: "'Mann, Dave'" <damann@mitre.org>, "'cve-editorial-board-list'"<cve-editorial-board-list@LISTS.MITRE.ORG>
- Delivery-Date: Mon Jun 25 14:05:12 2012
- In-Reply-To: <F4A3A6029AA9A54E8FA9BF5FB9834C790D6B76DF@exch-hq-1.secunia.local>
- List-Help: <mailto:LISTSERV@LISTS.MITRE.ORG?body=INFO%20CVE-EDITORIAL-BOARD-LIST>
- List-Owner: <mailto:CVE-EDITORIAL-BOARD-LIST-request@LISTS.MITRE.ORG>
- List-Subscribe: <mailto:CVE-EDITORIAL-BOARD-LIST-subscribe-request@LISTS.MITRE.ORG>
- List-Unsubscribe: <mailto:CVE-EDITORIAL-BOARD-LIST-unsubscribe-request@LISTS.MITRE.ORG>
- OpenPGP: id=36C268A3
- References: <2F43C4D2BE8AD24C8AC17D8C64B379B316BE3E@IMCMBX01.MITRE.ORG> <ED311CBEE6993C428563DEDF6D083BC83E4ABFE7@usilms113b.ca.com> <alpine.LNX.2.00.1205091307280.10340@forced.attrition.org> <2F43C4D2BE8AD24C8AC17D8C64B379B316E94C@IMCMBX01.MITRE.ORG> <F4A3A6029AA9A54E8FA9BF5FB9834C790D6B76DF@exch-hq-1.secunia.local>
- Sender: <owner-cve-editorial-board-list@LISTS.MITRE.ORG>
- User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:13.0) Gecko/20120614 Thunderbird/13.0.1
On 6/25/12 7:06 AM, Carsten Eiram wrote: > Finally, since CVE is not competing with any VDBs, they can as far as > I'm concerned rely quite a bit on VDBs to pick up vulnerabilities > from random sources instead of doing it themselves. Also, if no VDBs > or major sources cover a specific vulnerability report, how important > is it then for it to have a CVE identifier assigned? If a critical > vulnerability in a popular product, then the VDBs have failed, but > will likely pick it up eventually (and CVE can then catch it from > there) - I don't consider it to be the responsibility of the CVE team > to uncover it. I have a vague future vision of more qualified and trained CNAs covering segments of the public vulnerability disclosure market (JPCERT for Japan, ICS-CERT for control systems, Red Hat for Red Hat, etc), with CVE being the CNA of last resort, as well as the conflict resolver and CNA grey-bearded guru. In product terms, some CNAs could take responsibility for certain products or classes of product. In source terms, CVE could monitor a set of current VDBs, and only put in further effort if something gets missed or there's a conflict. - Art
- Follow-Ups:
- Re: Sources: Full and Partial Coverage (CNA increase)
- From: security curmudgeon <jericho@attrition.org>
- RE: Sources: Full and Partial Coverage (CNA increase)
- From: Carsten Eiram <che@secunia.com>
- Re: Sources: Full and Partial Coverage (CNA increase)
- References:
- RE: Sources: Full and Partial Coverage
- From: Carsten Eiram <che@secunia.com>
- RE: Sources: Full and Partial Coverage
- Prev by Date: RE: Sources: Full and Partial Coverage (CNA increase)
- Next by Date: Re: Sources: Full and Partial Coverage
- Prev by thread: RE: Sources: Full and Partial Coverage
- Next by thread: Re: Sources: Full and Partial Coverage (CNA increase)
- Index(es):