[Full-disclosure] RE: Why Vulnerability Databases can't do everything

[Steven M. Christey]

security curmudgeon said:

>Consider that we already have government coordination for
>vulnerabilities. In fact, did you know we have it half a dozen times
>over?
>
>...
>
>Little overlap? You bet there is.

The CERT, CVE, and ICAT efforts are complementary.

CERT deals with large-scale disclosures, major alerts, incident
response, and critical infrastructure.  The public view of CERT
vulnerabilities (the vulnerability notes) is not broad, but it's deep.

CVE is the naming standard for everyone to use.  It bags and tags
vulnerabilities; from a content perspective it is relatively shallow,
but broad, and its heaviest analytical focus is on telling apples from
apples.

ICAT is, loosely, an extension of CVE, by adding the other
informational fields that some people want from CVE.

US-CERT is a heavy user of both CERT and CVE "products."

There is coordination across all these efforts, which each have their
own separate focus.  There will be greater evidence of that
coordination shortly.

- Steve