[
Date Prev][
Date Next][
Thread Prev][Thread Next][
Date Index][
Thread Index]
REMINDER: Board Telecon - Wed, Oct 31, 1-2pm Eastern
Folks,
A reminder that we will be hosting a teleconference and with a web broadcast briefing on Wednesday.
Please re-review the products and sources list (after my sig) as this will be the first issue on the agenda. Due to the length of the list, it won't be practical to display in a briefing slide. Please refer to this email (or the email sent out on 9/26) during the discussion.
Here is a reminder of the dial-in and web information:
TO ATTEND THE AUDIO CONFERENCE:
Dial 781-271-6338 (x16338) from the Bedford, MA region.
Dial 703-983-6338 (x36338) from the Washington DC region, Nationally or Internationally.
Meeting ID: 258369
Meeting Password: 147258369
TO ATTEND THE MeetingPlace Web Collaboration CONFERENCE:
1. Go to: http://audioconference.mitre.org
2. Enter 258369 into the empty field and click Attend Meeting.
- Accept any security warnings you receive and wait for the Meeting Room to initialize.
3. If MeetingPlace Collaboration Window does not automatically open, press connect.
-Dave
==================================================================
David Mann | Principal Infosec Scientist | The MITRE Corporation
------------------------------------------------------------------
e-mail:damann@mitre.org | cell:781.424.6003
==================================================================
=====
CVE COVERAGE GOALS
=====
CVE's coverage goals are stated in terms of "sources" of information (e.g. web sites, vendor advisories, vulnerability databases) and "products" (e.g. Microsoft Office, Red Hat Enterprise Linux).
=====
SOURCES
=====
We separate sources into 2 major groups:
- Those that should be fully covered ("Full Coverage")
- Those that should be partially covered ("Partial Coverage")
"Full Coverage" means that for nearly all issues disclosed by the source that could be associated with a CVE entry, there will be an associated CVE entry, regardless of the criticality of the issue. Although a source is named as "Full Coverage," we purposely use the phrasing "nearly all issues disclosed" to allow the flexibility to potentially postpone coverage of minor issues.
"Partial Coverage" means that the source will be actively monitored but issues will be processed and associated with CVE entries based on a variety of editorial judgments.
As a bridge to the product coverage goals, we further sub-divide each of these lists into 2 sub-lists:
- "Vendor," meaning the source can be associated with a vendor or primary maintainer of a product or set of products.
- "Other," a catch-all for things like vulnerability databases, mailing lists and advisories from coordination centers, which tend to disclose vulnerability information from many different vendors.
PLEASE NOTE: MITRE actively monitors many sources beyond this list. These sources include things like blogs from vulnerability researchers, conference proceedings and media outlets. Monitoring this set of sources has proven to be productive for and informative to the CVE analysts. Which sources are of most utility is highly dependent on a given situation. As such, we don't believe it of general utility to list them all specifically.
-----
FULL COVERAGE SOURCES - VENDOR RELATED
-----
Adobe
Apache Software Foundation: Apache HTTP Server
Apple
Attachmate: Novell
Attachmate: SUSE
Blue Coat - kb.bluecoat.com
CA - support.ca.com
Check Point: Security Gateways product line (supportcenter.checkpoint.com)
Cisco: Security Advisories/Responses
Citrix - support.citrix.com
Debian
Dell Desktop/Notebook product lines
Dell SonicWALL Network Security product line - Service Bulletins
EMC, as published through Bugtraq
F5 - support.f5.com
Fortinet FortiGate product line (kb.fortinet.com)
Fujitsu Desktop/Notebook product lines
Google: Google Chrome (includes WebKit)
HP: Security Bulletins
IBM: issues in IBM ISS X-Force Database
Internet Systems Consortium (ISC)
Juniper: juniper.net/customers/support (JunOS?)
Lenovo Desktop/Notebook product lines
McAfee - kc.mcafee.com
Microsoft: Security Bulletins/Advisories
MIT Kerberos
Mozilla
OpenSSH
OpenSSL
Oracle: Critical Patch Updates
RealNetworks (real.com)
Red Hat
RIM/BlackBerry- blackberry.com/btsc
Samba Security Updates and Information
SAP - scn.sap.com/docs/DOC-8218
Sendmail
Sophos - sophos.com/support/knowledgebase
Symantec: Security Advisories
Ubuntu (Linux)
VMware
Websense - websense.com/content/support.aspx
-----
FULL COVERAGE SOURCES - OTHER
-----
HP: TippingPoint DVLabs
HP: TippingPoint Zero Day Initiative
ICS-CERT: ADVISORY
MITRE CNA open-source requests
US-CERT: Technical Cyber Security Alerts
VeriSign iDefense
------
PARTIAL COVERAGE SOURCE - VENDOR RELATED
------
Android (associated with Google or Open Handset Alliance)
Apache Software Foundation: Apache Tomcat
Apache Software Foundation: other
CentOS
Check Point: checkpoint.com/defense/advisories/public/summary.html
Cisco: Release Note Enclosures (RNE)
Drupal
Fedora
FoxIt Support Center - Security Advisories
FreeBSD
Gentoo (Linux)
Google: other (not Chrome or Android)
IBM ISS X-Force for non-IBM products
IBM: issues not in IBM ISS X-Force Database
Joomla!
Juniper - JTAC Technical Bulletins
kernel.org
Mandriva
NetBSD
OpenBSD
PHP core language interpreter
SCO
TYPO3
WordPress
------
PARTIAL COVERAGE SOURCES - OTHER
------
attrition.org/pipermail/vim
AusCERT
Core Security CoreLabs
DOE JC3 (formerly DOE CIRC and CIAC)
Full Disclosure
HP: TippingPoint Pwn2Own
http://www.exploit-db.com/
ICS-CERT: ALERT
Juniper: J-Security Center - Threats and Vulnerabilities
Microsoft: Vulnerability Research (MSVR)
oss-security
OSVDB
Packet Storm
Rapid7 Metasploit
Secunia
SecuriTeam
SecurityTracker
Symantec: SecurityFocus BugTraq (securityfocus.com/archive/1)
Symantec: SecurityFocus Bugtraq ID (securityfocus.com/bid)
United Kingdom CPNI (formerly NISCC)
US-CERT: Vulnerability Notes
======
PRODUCTS
======
All products listed are considered to be "must have". This means that we will ensure that a CVE ID is issued for any public disclosure for the product provided that:
a) the disclosure is publicly associated with the product with a reasonably recognizable variant of the product name (we are not going to entirely solve the product identification problem)
b) the disclosure is published in at least one source that is listed as either "full coverage" or "partial coverage", per the list of sources above.
Products are stated as "vendor: product name", where the product name may be a specific product, set of products or "all".
-----
MUST-HAVE PRODUCTS
-----
Adobe: all
Apache Software Foundation: All
Apple: all
Attachmate: Novell
Attachmate: SUSE
Blue Coat: all
CA: all
Check Point: Security Gateways product line
Cisco: all
Citrix - support.citrix.com
Debian: all
Dell: Desktop/Notebook product lines
Dell: SonicWALL Network Security product line
EMC: all
F5: all
Fortinet: FortiGate product line
Fujitsu: Desktop/Notebook product lines
Google: Google Chrome (includes WebKit)
HP: all
IBM: all
Internet Systems Consortium (ISC): Bind
Juniper: all
kernel.org (Linux kernal)
Lenovo: Desktop/Notebook product lines
McAfee: all
Microsoft: all
MIT Kerberos: all
Mozilla: all
MySQL: all
OpenLDAP: all
OpenSSH: all
OpenSSL: all
Oracle:all
PHP: core language interpreter
RealNetworks:all
Red Hat: all
RIM/BlackBerry: all
Samba: all
SAP: all
Sendmail: all
Sophos: all
Symantec: all
Ubuntu: all
VMware: all
Websense: all