RE: CVE信息来源和范围

顺便说一句,下面的列表是绝对不应该是完整的。我也经常寻找新的(对我来说)vuln Facebook上的信息,Google +,许多非安全论坛,等等,等等。我也经常发现未公布的漏洞在几乎所有网络设备或软件我自己,包括电视、AV接收器,打印机,有线电视盒,甚至通用服务手册软件我的车(旧版本的Tomcat)。在一天结束的时候,我们就需要选择业务关键/重要技术跟踪,而忽略其他。感谢和问候,肯- - - - - - - - - - -从原始信息:owner-cve-editorial-board-list@lists.mitre.org [mailto: owner-cve-editorial-board-list@lists.mitre.org代表威廉姆斯,詹姆斯·K发送:周二,2011一17点到:10月04,马尼恩艺术;曼,戴夫Cc: cve-editorial-board-list主题:RE: CVE信息来源和范围的优点,艺术。特别是,快发行CVE标识符就好了。监控的推特和博客,我们也需要考虑监控:* pastebin, *小供应商bugtracking系统(我发现每周vulns,广泛使用的软件,不让它BugTraq、Secunia,或CVE), *论坛(在各种语言中,许多需要注册),reddit, * IRC, *和其他通信/传播媒介成为流行下月(再一次)。当扩大监测这些类型的来源,广泛的自动化是必要的。感谢和问候,肯- - - - - - - - - - -从原始信息:owner-cve-editorial-board-list@lists.mitre.org [mailto: owner-cve-editorial-board-list@lists.mitre.org马尼恩代表艺术派:周二,10月04,2011下午12:54:曼,戴夫Cc: cve-editorial-board-list主题:Re: CVE信息来源和范围在2011-10-04 39,曼,戴夫写道:>的码尺考虑这些,CVE需要捕捉漏洞从这个来源为了full-fill章程?国际海事组织,更大的讨论是CVE的未来,因此未来(或修改,审核,刷新)宪章。CVE寻找原始vul信息来源吗?还是广泛的报道?或有效的“最大”的报道新闻vul吗?万博下载包下面的列表是足够的,如果有点过时,和重复(CIAC改变了他们的名字,CIAC和AusCERT再版vul IIRC的信息)。我们(CERT / CC)有一个类似的充足,但日期列表。我们也可能更感兴趣的第一个暗示新的vul报告而准备的一些更权威的CVE ID。更多的新vul信息出来这几天通过推特和博客。似乎大部分可能达到下面的来源。利用列表(metasploit exploitdb)其他新vul信息来源,这取决于CVE正在寻找。 Back to the bigger picture, I'm on the side of issuing more CVE IDs faster for more vul reports, having reasonable ways to distribute assignment and manage duplicates and false alarms. Accurate analysis is great, but can come a few days after the ID is issued. So my opinion is that CVE should refocus on being *the* leading, fairly comprehensive source of IDs (enumeration) for vul reports. Some other capability can do analysis or add further value later. Goals, in time order (and as more information about a vul report becomes available): 1. Assign ID to vul report (More CNAs? More active CNAs?) 2. Manage duplicates, mistakes, etc. 3. Refine assignments (further duplicate resolution, merge/splits, final arbitration) 4. Accurate analysis Don't wait for #4 to issue a CVE ID. Users need to be able to talk about "the thing" (a vul report), even (unfortunately) if "the thing" turns out to be a duplicate or false alarm. > Government Information Sources > US-CERT Advisories (aka CERT-CC Advisories) > US-CERT Vulnerability Notes (CERT-CC) > US-CERT Bulletins (aka Cyber-Notes) > DoD IAVAs > NISCC > AUS-CERT > CIAC > > > CNA Published Information > CMU/CERT-CC > Microsoft > RedHat > Debian > Apache > Apple OSX > Oracle > > > Non-CNA Vendor Advisories > Solaris > Suse > Mandriva > HP-UX > SCO > AIX > Cisco IOS > Free BSD > Open BSD > Net BSD > Gentoo (Linux) > Ubuntu (Linux) > > > > Mailing Lists & VDBs > Bugtraq > Vuln-Watch > VulnDev > Full Disclosure > Security Focus > Security Tracker > OSVDB > ISS X-Force > FRSIRT > Secunia > Packet Storm > SecuriTeam > SANS Mailing List (Qualys) > Neohapsis (Security Threat Watch) - Art