Re: tracker CVE feed source

To: debian-security-tracker@lists.debian.org
Subject: Re: tracker CVE feed source
From: Nico Golde <nico@ngolde.de>
Date: Mon, 4 Aug 2008 21:01:18 +0200
Message-id: <[🔎] 20080804190118.GA13645@ngolde.de>
In-reply-to: <[🔎] 200808041950.56852.thijs@debian.org>
References: <[🔎] 200808041950.56852.thijs@debian.org>

Hi Thijs,
* Thijs Kinkhorst <thijs@debian.org> [2008-08-04 20:16]:
> Following a short interchange with Steve from Mitre I've discovered that
> http://cve.mitre.org/data/downloads/allitems.html.gz probably isn't the best 
> source to get our CVE's into the tracker.

This is known as a problem for quite some time :) Reading 
the rss feed from NVD for example you get daily updates.

> We have the following options:
> - Keep the current feed.
>   It works. But, it's only updated a few times a week, but this may get more
>   often in the future.

While I agree that this may be bad because we get some of 
the vulnerabilities later I also see a good thing in this. 
This way we don't have to work on this every day but are 
able to work on bigger chunks every now and then which may 
be better unless we have more active people working on new 
CVE ids.

> - The feeds from NVD at http://nvd.nist.gov/download.cfm
>   They're on-demand so can be integrated into the pull-system that
>   the tracker currently has (twice daily cronjob pulls in information and
>   generates new list).
>   There's a small delay, but that's probably in the order of minutes.
>   It's an extra step between Mitre and us, which could break.

Steve talked about some more regular updates for the MITRE 
site will happen in this summer. I replied to his mail on 
oss-sec asking what the current status of this is. Maybe 
this will work out too.

[...] 
> I'm glad to hear your thoughts on these options: is it fine as is, should we 
> still update twice a day but with more current data, or should we update any 
> time we receive an email feed with a handfull of CVE's?

Don't get me wrong I also think that getting the useful 
information earlier is good but on the other hand we already 
know about most of the important vulnerabilities popping out 
before we get them through the update (via public mailing 
lists, vendor-sec, milw0rm, etc.) and most of the rest would 
be just NFUs for which we don't have enough manpower to 
handle that on a daily basis.

Kind regards
Nico

-- 
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.

Attachment: pgphgd8qCklIA.pgp
Description: PGP signature

Reply to:

Follow-Ups:
- Re: tracker CVE feed source
  - From: Gerfried Fuchs <rhonda@deb.at>

References:
- tracker CVE feed source
  - From: Thijs Kinkhorst <thijs@debian.org>

Prev by Date: Re: tracker CVE feed source
Next by Date: Re: tracker CVE feed source
Previous by thread: Re: tracker CVE feed source
Next by thread: Re: tracker CVE feed source
Index(es):
- Date
- Thread