Information on possible sources for security related announcements and vulnerabilities (Status: 20070704)
This analysis has been done by Meike Reichle of DN-Systems GmbH. The table is also available as original ODS-File.| Information on possible sources for security related announcements and vulnerabilities, Part 1 (Status: 20070704) | |||||
| Bugtraq | Mcert | CERT/CC | RUS CERT (Uni Stuttgart) | Bund-CERT WID advisories | |
| URL | www.securityfocus.com | www.mcert.de | www.cert.org | cert.uni-stuttgart.de | www.bsi.de/certbund/ |
| Operator | Symantec Corporation | BSI and BITKOM companies eg. SUN, Microsoft and SAP | Software Engeneering Institute, Carnegie Mellon University | Rechenzentrum der Universität Stuttgart | Bundesamt für Sicherheit in der Informationstechnik (BSI) |
| Communication media | Mailing list with web archive | Commercial mailling list and mail archive; free: RSS feed and website with 5 current short announcements | Website with security relevant information for administrators, programmers and managers; no current information | Mailing list, news group, RSS feed, web archive. Security announcements including risk estimations | Mailing list with current announcements, apparently no public archive |
| Focus | Detailed discussion and security announcements | Software used in small and medium sized business, "professional" edition targets companies | No data | Mostly GNU/Linux, Sun Solaris, Microsoft Windows and Microsofts Server products | Current information for security critical incidences in computer systems and counter measures, for national agencies |
| Activity / Reaction | At the same time or even before vendor announcements | Probably slight delay for editorial tests and translation | Publication at least 45 days delayed, sometimes more | Slight delay due to translation | Average |
| Precision | Usually forwards announcments without checking | No sufficient data | Probably good due to high delay | Probably very good | No tests |
| Structured Processes | Not really | Probably yes, not public | No data | No data, probably good | Probably yes, not public |
| Long term reliability | Has been around for some time already, funding seems secured | Good (run by BMI, BMWI and BITKOM) | Yes, first "CERT". | Yes | Yes |
| Meta Languages | No | Apparently not | No data | RSS feed. | Yes, own XML dialect |
| Sender verification | Only partially, with forwarded announcements | PGP Signatures, SMIME also possible. | No data | Cannot be told from web archive | PGP and also SMIME |
| Online since | 11 years | 4 years. | 19 years | Sep 2002 (acc. to mail archives) | 6 years. |
| Quality of announcements | Detailed information, sometimes with discussion | Only last five short announcements are free; rest unknown. | No sufficient data | Extensive | German security announcements with references to original sources, problem descriptions, risk estimations, work-arounds and fixes. |
| Information on possible sources for security related announcements and vulnerabilities, Part 2 (Status: 20070704) | ||||||
| Bund-CERT kurzinfo | BürgerCERT Tech. Warnungen | US-CERT | CVE | oval.mitre.org | osvdb.org | |
| URL | www.bsi.de/certbund/ | www.buerger-cert.de | www.us-cert.gov | cve.mitre.org | oval.mitre.org/repository/download/ | osvdb.org |
| Operator | Bundesamt für Sicherheit in der Informationstechnik (BSI) | mCert and BSI | US Deparment of Homeland Security | Supported by Mitre; financed by US Department of Homeland Security | Supported by Mitre; financed by US Department of Homeland Security | osvdb-Community ; Open Security Foundation |
| Communication media | Mailing list with current announcements, apparently no public archive | mailing list with web archive | mailing lists and RSS feeds for Technical Cyber Security Alerts, Cyber Security Bulletins and Cyber Security Alerts | Keep list of vulnerabilities, including sources and confirmations. Mostly for reference. | Vulnerabilities in different server operating systems in machine readable and processable format | mailing list with web archive |
| Focus | Current information for security critical incidences in computer systems. Only short versions | Announcements with immediate need for action, weekly summaries of the most important "technical warnings" | Desktop Systems, Virus, Server-Systems | Claim to list all publicly known vulnerabilities | Server software und server products | None |
| Activity / Reaction | Probably slight delay for editorial tests and translation | slight delay | Relatively good | CANs are published promptly | No data | Slight delays for editorial work and aggregation |
| Precision | No tests | Low | Relatively good | Very good | Very good | Good |
| Structured Processes | Probably yes, not public | Probably yes, not public | Probably yes, not public | Yes, good descriptions | Yes, good descriptions | Yes, details on website |
| Long term reliability | Yes | Yes, due to cooperation with a national agency | Yes, US-American national agency. | Yes. Online for several years; supported by US national agency | Yes. Online for several years; supported by US national agency | Volunteer organisation |
| Meta Languages | No | No | Yes | Yes, good descriptions | Yes, OVAL. | Yes, own XML-Dialect |
| Sender verification | PGP and also SMIME | PGP | No | No | no, only md5 sums on a website | No |
| Online since | 6 years. | At least 2 years | 6 years. | About 8 years | Since 01.10.2002 | 5 years |
| Quality of announcements | Short announcements including short background information | Extensive but kept simple, include estimation of risk potential. | Extensive | Only short descriptions and list of references to further information sources | Short descriptions with references to CVE also exact criteria and conditions | Good |