Forwarded from: security curmudgeon <jericho (at) attrition.org> : http://www.gcn.com/online/vol1_no1/41907-1.html : : By William Jackson : GCN Staff : 09/07/06 : : : The National Institute of Standards and Technology today launched a : service within its National Vulnerability Database that will allow : vendors to discuss the impact of vulnerabilities on their products. : "The service is designed to be a public forum for vendors to comment on : the vulnerabilities, and to have those comments embedded in databases : and discussions," said NVD program manager Peter Mell. : "There hasn't been a public forum for software vendors where they can : say, here's some more information," Mell said. But there has, OSVDB announced the exact same feature on Apr 13, 2006 [1]. This was done to let vendors AND users add comments to vulnerabilities and it has proven very helpful in adding another method for people to provide feedback and additional information/clarification on published vulnerabilities. So far, it has been very useful and allowed us to update many entries with additional information. : The impetus for the program came from Mark J. Cox, security response : director for Red Hat Inc. of Raleigh, N.C., which sells open-source : software including Red Hat Linux and SELinux. I have no doubt Mark Cox came up with this idea, but I imagine that like many ideas, it wasn't published in any fashion leading to multiple people/projects 'inventing' it on their own. That said, just to be a bit snarky (come on, people expect it from me), perhaps NVD could implement another of Mr. Cox's suggestions [2]? And yes, OSVDB has been doing it since day one, with a long standing bugzilla to enhance it even further. =) : NIST provides a Web portal for vendors with accounts that lets them post : official statements about vulnerabilities. These can include information : on what versions and products are affected or not affected, guidance on : configuration and remediation, analysis, explanations and disputes. The : statements appear on the same page as the vulnerability being described. Why do you only allow vendors to comment on them? Surely NVD doesn't think that vendors are the only ones qualified to add analysis and information to a vulnerability? If you allow comments from anyone, of course you get to deal with the usual blog style spam and random quacks that tend to reply "OMG THIS IZ NOT REAL U SUK", but it's no worse than dealing with a blog. On the other hand, you also tend to get vendors that don't want to create accounts, researchers that can add information, as well as other VDBs that care about accurate information (*gasp*). : NIST verifies designated vendor officials who receive the accounts on : the service and authenticates users accessing the service to make posts. Does NIST propogate these comments back to CVE in the case of correcting an error in the original CVE description/references, which are the basis for NVD? : Cox said Red Hat will evangelize the service, which he expects will be : particularly helpful to the open-source community. : : "This is really useful for software that is shipped by multiple : vendors," he said. "But the service is going to be open for everyone." It depends on what you count as the 'service'. If the 'service' is being able to comment on a vulnerability, then no, the service is open for registered and verified vendors. - jericho [1] http://osvdb.org/news.php#comments [2] http://attrition.org/pipermail/vim/2006-May/000777.html _________________________________ HITBSecConf2006 - Malaysia The largest network security event in Asia 32 internationally renowned speakers 7 tracks of hands-on technical training sessions. Register now: http://conference.hitb.org/hitbsecconf2006kl/
This archive was generated by hypermail 2.1.3 : Tue Sep 12 2006 - 22:53:58 PDT