List of CPE or other identifier for *Value Density* = "concentrated"

[j---]

Let's start with CPE ID maybe, and see how that goes? Also, there are other reasons value density might be concentrated (the discussion of bug bounty price vis-a-vis Zerodium, for example). So the goal here is not to make an exhaustive list of what is and is not concentrated. Just a list of "if it is on this list, then it is concentrated." I would be interested to have a discussion about the feedback loop between bug bounty programs and VD, but that is a separate issue.

I'm sure we can invent scenarios where any system is not contextually important to the org deploying it, but that should be handled under mission impact, not here. It would be best to avoid getting into CPE minutia here. But for better or worse, CPE doesn't contain a category list "web browsers" or anything, that I know of, so we would have to try to list all the relevant examples of a category out. We'll be resource constrained on listing every single web server in CPE. But on the other hand, if something is obscure it probably doesn't have high value to attackers, so this problem is somewhat self-correcting.

https://cpe.mitre.org/specification/ Defines the "Well formed name" (WFN) concept. For example: cpe:/a:microsoft:internet_explorer:8.0.6001:beta I think we want to list less detail than this. For example, the version number should not substantively change the overall value of a product type. So it's probably enough for this issue to list something like:

cpe:/a:microsoft:internet_explorer::

Star (*) is permitted CPE syntax for wildcards.

I think handle this in two steps. Try to agree on a list of categories (authentication management server, web server, database server, etc.) in the discussion here first, and then go through CPE and try to find all the relevant examples of each category.