Re: CVE信息来源和范围

> >政府信息来源us - cert(又名CERT-CC报告)必须劝告。虽然很大程度上再版,我们预计这种改变,体积是相当低的。> us - cert脆弱性(CERT-CC)必须指出。> us - cert公告(又名Cyber-Notes)这些都是已经公开报道的集合,从CVE甚至可能生成的吗?>国防部IAVAs怀疑实用性。CVE分配后再版的好吗?> NISCC好的看,新vul报道很少出来。> AUS-CERT几乎只再版。AusCERT甚至提供了一个列表的产品/供应商他们监控(还是)。> CIAC名称改变,相信这是完全再版。 > CNA Published Information > CMU/CERT-CC Must have, but included in US-CERT vul notes and Alerts above. > Microsoft > RedHat > Debian > Apache > Apple OSX > Oracle Must have. > Non-CNA Vendor Advisories > Solaris > Suse > Mandriva > HP-UX > SCO > AIX > Cisco IOS > Free BSD > Open BSD > Net BSD > Gentoo (Linux) > Ubuntu (Linux) Must have, although as usual lots of duplication across linux/UNIX distros. > Mailing Lists & VDBs It's been a while since I watched any of these closely. > Bugtraq Must have. > Vuln-Watch > VulnDev Not sure what these are like anymore. Seemed to be low signal. > Full Disclosure Lots of noise, but new reports come out. Must have. > Security Focus Bugtraq? Or other lists? > Security Tracker Not sure of current quality/signal. > OSVDB Must have, because they're trying to be reference complete. > ISS X-Force > FRSIRT Changed name again -- VUPEN? If they provide original reports, then must have. > Secunia Good to have. > Packet Storm No longer familiar, seems dated. > SecuriTeam No longer familiar. > SANS Mailing List (Qualys) Don't know about new vul reports here. > Neohapsis (Security Threat Watch) Only know about their archive service. IMO, any and every source of "OC" (original content, original vul reports) should be monitored, starting with major vendors, CNAs, and sources with high quality signal (even if they are also noisy). - Art