Security Basics mailing list archives
Re: Vulnebrability level definition
From: Per Niila Albinsson <per () same net>
Date: Wed, 12 Feb 2003 23:20:41 +0100
Hi From a vendor point of view I agree there is a difference. Though the complexity of exploiting a certain vulnerability would probably be a good indicator for the probability classification.A vendor can only give a very generic answer to these questions. When I suggested to take the probability in count I was targeting a scenario where a consultant will make a penetration test and present the result for the customers. /Per Niila
Amen to this. My personal belief is that one can not say what is the severity of a bug. It all depends on how the equipment is used. It may not be much about if it is a large network or not but if that feature is used. Another question is "What is worth of your data?". If some bug will expose something that is public anyway then it boils down a nuisance. If it will expose your confidential data then it is very serious indeed. The vendor can not know how a particular feature will be used in a customer's environment. Yes, a vendor may have some idea but, is it valid in all cases? Gaus
Current thread:
- Re: Vulnebrability level definition, (continued)
- Re: Vulnebrability level definition R. DuFresne (Feb 12)
- Re: Vulnebrability level definition Per Niila Albinsson (Feb 12)
- Re: Vulnebrability level definition Damir Rajnovic (Feb 12)
- RE: Vulnebrability level definition Rob Shein (Feb 12)
- RE: Vulnebrability level definition Damir Rajnovic (Feb 14)
- RE: Vulnebrability level definition Rob Shein (Feb 14)
- Re: Vulnebrability level definition Damir Rajnovic (Feb 12)
- Re: Vulnebrability level definition raymond (Feb 14)