Full Disclosure mailing list archives
Re: RE: Why Vulnerability Databases can't do everything
From: "Steven M. Christey" <coley () mitre org>
Date: Sun, 17 Jul 2005 16:11:10 -0400 (EDT)
security curmudgeon said:
Consider that we already have government coordination for vulnerabilities. In fact, did you know we have it half a dozen times over? ... Little overlap? You bet there is.
The CERT, CVE, and ICAT efforts are complementary. CERT deals with large-scale disclosures, major alerts, incident response, and critical infrastructure. The public view of CERT vulnerabilities (the vulnerability notes) is not broad, but it's deep. CVE is the naming standard for everyone to use. It bags and tags vulnerabilities; from a content perspective it is relatively shallow, but broad, and its heaviest analytical focus is on telling apples from apples. ICAT is, loosely, an extension of CVE, by adding the other informational fields that some people want from CVE. US-CERT is a heavy user of both CERT and CVE "products." There is coordination across all these efforts, which each have their own separate focus. There will be greater evidence of that coordination shortly. - Steve _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: RE: Why Vulnerability Databases can't do everything security curmudgeon (Jul 16)
- RE: RE: Why Vulnerability Databases can't do everything aaron_kempf (Jul 18)
- RE: RE: Why Vulnerability Databases can't do everything Eric Paynter (Jul 18)
- <Possible follow-ups>
- Re: RE: Why Vulnerability Databases can't do everything Steven M. Christey (Jul 17)
- RE: RE: Why Vulnerability Databases can't do everything aaron_kempf (Jul 18)