[Date Prev][Date Next][Thread Prev][Thread Next][
Date Index][
Thread Index]
Proposed Products List
Folks,
We've been working through the lists of products you all suggested as "must-have" products for CVE to cover, and we have given them all careful consideration. Based on your input and our own analysis and discussion, we present to you the proposed list (below) of "must-have products," along with the previously released lists of full and partial coverage information sources.
We see these lists as a waypoint for ongoing board discussions, not as a final destination, and we plan to review and revise these lists with the Board on a regular basis. We also still have a significant amount of internal analysis to do in terms of impacts on our processes and (potentially) even the feasibility of achieving these goals.
At this juncture, we believe it is important to discuss these results and issues in the next few weeks (early October?) in an Editorial Board teleconference. We believe a teleconference is needed so that we can have a much more rich discussion than we would by simply continuing the discussion on the Editorial Board email list. Please note that the planned teleconference should not abridge or otherwise prevent any discussion on the Board list of any topics of interest. As such, we will continue to publish interim results to the Board list as they are developed.
-The CVE Team
=====
CVE COVERAGE GOALS
=====
CVE's coverage goals are stated in terms of "sources" of information (e.g. web sites, vendor advisories, vulnerability databases) and "products" (e.g. Microsoft Office, Red Hat Enterprise Linux).
=====
SOURCES
=====
We separate sources into 2 major groups:
- Those that should be fully covered ("Full Coverage")
- Those that should be partially covered ("Partial Coverage")
"Full Coverage" means that for nearly all issues disclosed by the source that could be associated with a CVE entry, there will be an associated CVE entry, regardless of the criticality of the issue. Although a source is named as "Full Coverage," we purposely use the phrasing "nearly all issues disclosed" to allow the flexibility to potentially postpone coverage of minor issues.
"Partial Coverage" means that the source will be actively monitored but issues will be processed and associated with CVE entries based on a variety of editorial judgments.
As a bridge to the product coverage goals, we further sub-divide each of these lists into 2 sub-lists:
- "Vendor," meaning the source can be associated with a vendor or primary maintainer of a product or set of products.
- "Other," a catch-all for things like vulnerability databases, mailing lists and advisories from coordination centers, which tend to disclose vulnerability information from many different vendors.
PLEASE NOTE: MITRE actively monitors many sources beyond this list. These sources include things like blogs from vulnerability researchers, conference proceedings and media outlets. Monitoring this set of sources has proven to be productive for and informative to the CVE analysts. Which sources are of most utility is highly dependent on a given situation. As such, we don't believe it of general utility to list them all specifically.
-----
FULL COVERAGE SOURCES - VENDOR RELATED
-----
Adobe
Apache Software Foundation: Apache HTTP Server
Apple
Attachmate: Novell
Attachmate: SUSE
Blue Coat - kb.bluecoat.com
CA - support.ca.com
Check Point: Security Gateways product line (supportcenter.checkpoint.com)
Cisco: Security Advisories/Responses
Citrix - support.citrix.com
Debian
Dell Desktop/Notebook product lines
Dell SonicWALL Network Security product line - Service Bulletins
EMC, as published through Bugtraq
F5 - support.f5.com
Fortinet FortiGate product line (kb.fortinet.com)
Fujitsu Desktop/Notebook product lines
Google: Google Chrome (includes WebKit)
HP: Security Bulletins
IBM: issues in IBM ISS X-Force Database
Internet Systems Consortium (ISC)
Juniper: juniper.net/customers/support (JunOS?)
Lenovo Desktop/Notebook product lines
McAfee - kc.mcafee.com
Microsoft: Security Bulletins/Advisories
MIT Kerberos
Mozilla
OpenSSH
OpenSSL
Oracle: Critical Patch Updates
RealNetworks (real.com)
Red Hat
RIM/BlackBerry- blackberry.com/btsc
Samba Security Updates and Information
SAP - scn.sap.com/docs/DOC-8218
Sendmail
Sophos - sophos.com/support/knowledgebase
Symantec: Security Advisories
Ubuntu (Linux)
VMware
Websense - websense.com/content/support.aspx
-----
FULL COVERAGE SOURCES - OTHER
-----
HP: TippingPoint DVLabs
HP: TippingPoint Zero Day Initiative
ICS-CERT: ADVISORY
MITRE CNA open-source requests
US-CERT: Technical Cyber Security Alerts
VeriSign iDefense
------
PARTIAL COVERAGE SOURCE - VENDOR RELATED
------
Android (associated with Google or Open Handset Alliance)
Apache Software Foundation: Apache Tomcat
Apache Software Foundation: other
CentOS
Check Point: checkpoint.com/defense/advisories/public/summary.html
Cisco: Release Note Enclosures (RNE)
Drupal
Fedora
FoxIt Support Center - Security Advisories
FreeBSD
Gentoo (Linux)
Google: other (not Chrome or Android)
IBM ISS X-Force for non-IBM products
IBM: issues not in IBM ISS X-Force Database
Joomla!
Juniper - JTAC Technical Bulletins
kernel.org
Mandriva
NetBSD
OpenBSD
PHP core language interpreter
SCO
TYPO3
WordPress
------
PARTIAL COVERAGE SOURCES - OTHER
------
attrition.org/pipermail/vim
AusCERT
Core Security CoreLabs
DOE JC3 (formerly DOE CIRC and CIAC)
Full Disclosure
HP: TippingPoint Pwn2Own
http://www.exploit-db.com/
ICS-CERT: ALERT
Juniper: J-Security Center - Threats and Vulnerabilities
Microsoft: Vulnerability Research (MSVR)
oss-security
OSVDB
Packet Storm
Rapid7 Metasploit
Secunia
SecuriTeam
SecurityTracker
Symantec: SecurityFocus BugTraq (securityfocus.com/archive/1)
Symantec: SecurityFocus Bugtraq ID (securityfocus.com/bid)
United Kingdom CPNI (formerly NISCC)
US-CERT: Vulnerability Notes
======
PRODUCTS
======
All products listed are considered to be "must have". This means that we will ensure that a CVE ID is issued for any public disclosure for the product provided that:
a) the disclosure is publicly associated with the product with a reasonably recognizable variant of the product name (we are not going to entirely solve the product identification problem)
b) the disclosure is published in at least one source that is listed as either "full coverage" or "partial coverage", per the list of sources above.
Products are stated as "vendor: product name", where the product name may be a specific product, set of products or "all".
-----
MUST-HAVE PRODUCTS
-----
Adobe: all
Apache Software Foundation: All
Apple: all
Attachmate: Novell
Attachmate: SUSE
Blue Coat: all
CA: all
Check Point: Security Gateways product line
Cisco: all
Citrix - support.citrix.com
Debian: all
Dell: Desktop/Notebook product lines
Dell: SonicWALL Network Security product line
EMC: all
F5: all
Fortinet: FortiGate product line
Fujitsu: Desktop/Notebook product lines
Google: Google Chrome (includes WebKit)
HP: all
IBM: all
Internet Systems Consortium (ISC): Bind
Juniper: all
kernel.org (Linux kernal)
Lenovo: Desktop/Notebook product lines
McAfee: all
Microsoft: all
MIT Kerberos: all
Mozilla: all
MySQL: all
OpenLDAP: all
OpenSSH: all
OpenSSL: all
Oracle:all
PHP: core language interpreter
RealNetworks:all
Red Hat: all
RIM/BlackBerry: all
Samba: all
SAP: all
Sendmail: all
Sophos: all
Symantec: all
Ubuntu: all
VMware: all
Websense: all