(-direct-ryan) yikes formatting for this got wonky...
On Tue, May 19, 2015 at 11:53 AM, Ryan Shea via NANOG <nanog@nanog.org> > ---------- Forwarded message ---------- > From: Ryan Shea <ryans...@google.com> > To: nanog list <nanog@nanog.org> > Cc: > Date: Tue, 19 May 2015 15:53:15 +0000 > Subject: Unified Security Vulnerability Management > > Manually setting up and parsing email notifications for security > vulnerabilities for all vendors is mighty annoying. It looks like the ICASI > CVRF <http://www.icasi.org/cvrf> Working Group thought the same thing back > in 2011 when they came up with this handy XML schema. I had not known of > this until yesterday and noticed that Cisco does a good job > <http://tools.cisco.com/security/center/cvrfListing.x> posting their > vulnerabilities in CVRF. Word on the streets is that Juniper > <https://twitter.com/junipersirt/status/70627418737610752> was at least > partially involved in CVRF as well. Brocade may have looked into it as well. > > This does not seem like a difficult thing for vendors to do, but the > missing piece may be customer interest. I am hoping to drum up some > interest here -- maybe a few support requests would entice them to hand > this off to an intern and we could collectively do better at managing > vendor notifications. A tool <https://github.com/mschiffm/cvrfparse> to > parse CVRF is already floating about as well (mschiffm). I bet if we can get FR/PR numbers for some vendors we might be able to get a bunch of people to add support through a central set of points per vendor. Can we put the PR for juniper here? (and if other folk have a PR/FR for their pet vendor(s) add those to the list?)