No subject

Christopher Morrow morrowc.lists at
Tue May 19 19:11:50 UTC 2015


yikes formatting for this got wonky...

On Tue, May 19, 2015 at 11:53 AM, Ryan Shea via NANOG <nanog at>
> ---------- Forwarded message ----------
> From: Ryan Shea <ryanshea at>
> To: nanog list <nanog at>
> Cc:
> Date: Tue, 19 May 2015 15:53:15 +0000
> Subject: Unified Security Vulnerability Management
> Manually setting up and parsing email notifications for security
> vulnerabilities for all vendors is mighty annoying. It looks like the ICASI
> CVRF <> Working Group thought the same thing back
> in 2011 when they came up with this handy XML schema. I had not known of
> this until yesterday and noticed that Cisco does a good job
> <> posting their
> vulnerabilities in CVRF. Word on the streets is that Juniper
> <> was at least
> partially involved in CVRF as well. Brocade may have looked into it as well.
> This does not seem like a difficult thing for vendors to do, but the
> missing piece may be customer interest. I am hoping to drum up some
> interest here -- maybe a few support requests would entice them to hand
> this off to an intern and we could collectively do better at managing
> vendor notifications. A tool <> to
> parse CVRF is already floating about as well (mschiffm).

I bet if we can get FR/PR numbers for some vendors we might be able to
get a bunch of people to add support through a central set of points
per vendor.

Can we put the PR for juniper here? (and if other folk have a PR/FR
for their pet vendor(s) add those to the list?)

More information about the NANOG mailing list