向供应商/其他人分发映射 - 请意见

这可能是一个敏感的主题，所以我尝试仔细地措辞。没有供应商的人是否有问题，我只为自己的工具给每个供应商我的映射吗？可能会担心供应商可以将这些映射用于“营销目的”，而不是“应该”（例如，在公开发布之前。）供应商是否可以保证这些映射不会用于任何营销目的，至少在CVE公开发布之前？请注意，这个特殊的问题可能与我的管理层更加敏感，因此每个人的意见都将有很长的路要走。我认识到，给供应商我目前的工具映射将减少重复的努力，并帮助他们更有效地评估CVE如何应用于其数据库。我认为，Miter应该尊重供应商的“隐私”要求，以将未经审查的映射分配到其工具中。但是，我知道这可能并不完全是犹太人。我的每个映射都可以追溯到2月左右。大约100个CVE漏洞在所有/大多数工具上共享，因此，如果人们对我提供整个映射的问题，我们可以进行“子映射”。 The entire mappings are between 50% and 80% complete with respect to the current CVE version. They have some inaccuracies due to incomplete descriptive text in the vulnerability lists. I have mappings for ISS Internet Scanner, Real Secure, and System Security Scanner, Netect HackerShield, Axent NetRecon (without their own vulnerability ID's), an old version of NetSonar, and CyberCop Scanner. In the spirit of fairness and efficiency, I would be willing to offer a "mapping service" to others in this input forum who have their own vulnerability databases, provided you can give me a text dump of the database's descriptive text and its identifier (if any). I'm familiar enough with the CVE and the advanced mapping script to be able to create a reasonable mapping in a few hours (assuming the database has similar content for the CVE). Of course, the long term maintenance of the mappings will be the database owner's responsibility, as Dave indicated on Sunday. To the non-ISS vendors, note that because I utilized the X-Force database during CVE research, there are already a lot of references in there that implicitly form a partial mapping, although ISS has explicitly NOT utilized this information yet. - Steve