lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Sun Jul 17 21:11:17 2005
From: coley at mitre.org (Steven M. Christey)
Subject: RE: Why Vulnerability Databases can't do
	everything


security curmudgeon said:

>Consider that we already have government coordination for
>vulnerabilities. In fact, did you know we have it half a dozen times
>over?
>
>...
>
>Little overlap? You bet there is.

The CERT, CVE, and ICAT efforts are complementary.

CERT deals with large-scale disclosures, major alerts, incident
response, and critical infrastructure.  The public view of CERT
vulnerabilities (the vulnerability notes) is not broad, but it's deep.

CVE is the naming standard for everyone to use.  It bags and tags
vulnerabilities; from a content perspective it is relatively shallow,
but broad, and its heaviest analytical focus is on telling apples from
apples.

ICAT is, loosely, an extension of CVE, by adding the other
informational fields that some people want from CVE.

US-CERT is a heavy user of both CERT and CVE "products."

There is coordination across all these efforts, which each have their
own separate focus.  There will be greater evidence of that
coordination shortly.

- Steve

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ