来源:完全和部分覆盖

所有,我们寻求输入第二套漏洞信息的来源。以下列表中所有的来源已确定在我们之前的讨论榜上有名。我们打破这个列表分成3组:应充分覆盖+ +来源来源应该监控但有选择地覆盖+来源带来了巨大的挑战值得进一步讨论对于我们当前讨论的目的,我们希望你的反馈,反应和输入这些前两组。主要的问题是,应该在第一组被降级到第二个,相反,任何从第二组应该晋升为第一。当你考虑这些团体,明白我们正在讨论优先级,没有可行性。可能的CVE当前的实践需要改变提供所述覆盖这些来源的目标。我们会解决这个问题在以后的邮件讨论。我们会给一些迹象表明为什么我们认为下面的第二组应该只有部分覆盖。应充分覆盖- - - - - - - - - - - - - - - - - - - - - - - - us - cert:技术网络安全警报RealNetworks苹果EMC (real.com),通过Bugtraq VMware发布谷歌:Google Chrome(包括WebKit) IBM:问题在IBM ISS X-Force数据库网络系统财团(ISC) MIT Kerberos Adobe Apache软件基金会:Apache HTTP服务器思科:安全警告/响应惠普:微软安全公告:安全公告/警告Mozilla甲骨文应该监控但选择性地覆盖了- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - us - cert:脆弱性指出[1]赛门铁克:电脑Bugtraq (securityfocus.com/archive/1)[1]赛门铁克:电脑Bugtraq ID (securityfocus.com/bid)[1]充分披露[1]OSVDB [1] SecurityTracker [1] FreeBSD [2] NetBSD [2] OpenBSD [2] Mandriva [2] oss-security [3] IBM:问题不是在IBM ISS X-Force数据库[4]带来了巨大的挑战,值得讨论在稍后的时间- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Debian Red Hat Attachmate的:SUSE Ubuntu (Linux)[1] -这些来源往往含有混合一个高优先级的问题和低优先级问题。是不合理分配CVE id的漏洞影响软件分布和影响有限。 [2] - We believe that these systems are low enough in terms of their market share and distribution that it is reasonable to only assign CVE ids for more critical vulnerabilities from these sources. [3] - For the most part, we believe that issues disclosed on this are already disclosed in other sources that we actively monitor. [4] - At present, IBM has no centralized distribution source for vulnerability information related to many of its products. Some IBM products use the ISS X-Force database as their disclosure mechanism, which is listed as fully covered source (for IBM issues only). -Dave ================================================================== David Mann | Principal Infosec Scientist | The MITRE Corporation ------------------------------------------------------------------ e-mail:damann@mitre.org | cell:781.424.6003 ==================================================================