English | Deutsch
Home »

Information on possible sources for security related announcements and vulnerabilities (Status: 20070704)

This analysis has been done by Meike Reichle of DN-Systems GmbH. The table is also available as original ODS-File.
Information on possible sources for security related announcements and vulnerabilities, Part 1 (Status: 20070704)

Bugtraq Mcert CERT/CC RUS CERT (Uni Stuttgart) Bund-CERT WID advisories
URL www.securityfocus.com www.mcert.de www.cert.org cert.uni-stuttgart.de www.bsi.de/certbund/
Operator Symantec Corporation BSI and BITKOM companies eg. SUN, Microsoft and SAP Software Engeneering Institute, Carnegie Mellon University Rechenzentrum der Universität Stuttgart Bundesamt für Sicherheit in der Informationstechnik (BSI)
Communication media Mailing list with web archive Commercial mailling list and mail archive; free: RSS feed and website with 5 current short announcements Website with security relevant information for administrators, programmers and managers; no current information Mailing list, news group, RSS feed, web archive. Security announcements including risk estimations Mailing list with current announcements, apparently no public archive
Focus Detailed discussion and security announcements Software used in small and medium sized business, "professional" edition targets companies No data Mostly GNU/Linux, Sun Solaris, Microsoft Windows and Microsofts Server products Current information for security critical incidences in computer systems and counter measures, for national agencies
Activity / Reaction At the same time or even before vendor announcements Probably slight delay for editorial tests and translation Publication at least 45 days delayed, sometimes more Slight delay due to translation Average
Precision Usually forwards announcments without checking No sufficient data Probably good due to high delay Probably very good No tests
Structured Processes Not really Probably yes, not public No data No data, probably good Probably yes, not public
Long term reliability Has been around for some time already, funding seems secured Good (run by BMI, BMWI and BITKOM) Yes, first "CERT". Yes Yes
Meta Languages No Apparently not No data RSS feed. Yes, own XML dialect
Sender verification Only partially, with forwarded announcements PGP Signatures, SMIME also possible. No data Cannot be told from web archive PGP and also SMIME
Online since 11 years 4 years. 19 years Sep 2002 (acc. to mail archives) 6 years.
Quality of announcements Detailed information, sometimes with discussion Only last five short announcements are free; rest unknown. No sufficient data Extensive German security announcements with references to original sources, problem descriptions, risk estimations, work-arounds and fixes.
Information on possible sources for security related announcements and vulnerabilities, Part 2 (Status: 20070704)

Bund-CERT kurzinfo BürgerCERT Tech. Warnungen US-CERT CVE oval.mitre.org osvdb.org
URL www.bsi.de/certbund/ www.buerger-cert.de www.us-cert.gov cve.mitre.org oval.mitre.org/repository/download/ osvdb.org
Operator Bundesamt für Sicherheit in der Informationstechnik (BSI) mCert and BSI US Deparment of Homeland Security Supported by Mitre; financed by US Department of Homeland Security Supported by Mitre; financed by US Department of Homeland Security osvdb-Community ; Open Security Foundation
Communication media Mailing list with current announcements, apparently no public archive mailing list with web archive mailing lists and RSS feeds for Technical Cyber Security Alerts, Cyber Security Bulletins and Cyber Security Alerts Keep list of vulnerabilities, including sources and confirmations. Mostly for reference. Vulnerabilities in different server operating systems in machine readable and processable format mailing list with web archive
Focus Current information for security critical incidences in computer systems. Only short versions Announcements with immediate need for action, weekly summaries of the most important "technical warnings" Desktop Systems, Virus, Server-Systems Claim to list all publicly known vulnerabilities Server software und server products None
Activity / Reaction Probably slight delay for editorial tests and translation slight delay Relatively good CANs are published promptly No data Slight delays for editorial work and aggregation
Precision No tests Low Relatively good Very good Very good Good
Structured Processes Probably yes, not public Probably yes, not public Probably yes, not public Yes, good descriptions Yes, good descriptions Yes, details on website
Long term reliability Yes Yes, due to cooperation with a national agency Yes, US-American national agency. Yes. Online for several years; supported by US national agency Yes. Online for several years; supported by US national agency Volunteer organisation
Meta Languages No No Yes Yes, good descriptions Yes, OVAL. Yes, own XML-Dialect
Sender verification PGP and also SMIME PGP No No no, only md5 sums on a website No
Online since 6 years. At least 2 years 6 years. About 8 years Since 01.10.2002 5 years
Quality of announcements Short announcements including short background information Extensive but kept simple, include estimation of risk potential. Extensive Only short descriptions and list of references to further information sources Short descriptions with references to CVE also exact criteria and conditions Good