Dailydave mailing list archives
Re: Vuln scoring system anyone?
From: security curmudgeon <jericho () attrition org>
Date: Sat, 26 Feb 2005 21:54:54 -0500 (EST)
: > In general, my gut reaction is "why the hype?" I've done extensive : .... : > scoring really do that high/medium/low doesn't? Does a 1 to 10 style : > system add value? 1 to 100? At what point does it get too obscure or too : > granulated to be helpful? : ... : > The fact that these vendors are leading the initiative scares me. These : > are the same ones that intentionally or ignorantly labeled remote code : : It is *only* the fact that major vendors are leading this that makes it : valuable. While I'm skeptical of any rating system's applicability to my : own circumstances, I *would* appreciate having vendor releases come out : on the same scale - even if that scale is meaningless outside of it's : own context. *I* might know the difference, but having people call me : up asking why company A calls X a "High", but company B calls it a : "Medium" can be a huge headache. Err, ok, then why support this? It will cause the same headache. You say if all the vendors agree an issue is 'High Risk', less headache. However, if those vendors agree an issue is 'Medium Risk', and security folks at CVE or OSVDB or Secunia or SecurityTracker or ISS or SecurityFocus or [..] say "No, this is High Risk", you have the same problem. Customers will see two ratings, questions ensue. Consider that while many people will get information from these vendors first, many others will not. They get their information from vulnerability alert services (Secunia, SecurityTracker, etc). That is the first information they see, and their rating is often the determination for how an organization reacts immediately. _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com https://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- Re: Vuln scoring system anyone? security curmudgeon (Feb 26)
- Re: Vuln scoring system anyone? Adam Shostack (Feb 28)
- <Possible follow-ups>
- RE: Vuln scoring system anyone? Kevin Greene (Feb 26)
- Vuln scoring system anyone? Brian Erdelyi (Feb 28)
- Vuln scoring system anyone? Brian Erdelyi (Feb 28)
- Re: Vuln scoring system anyone? Dave Aitel (Feb 28)
- Re: Vuln scoring system anyone? Brian Erdelyi (Mar 01)
- Re: Vuln scoring system anyone? Dave Aitel (Mar 01)
- Re: Vuln scoring system anyone? Brian Erdelyi (Mar 01)
- Re: Vuln scoring system anyone? Dave Aitel (Mar 01)
- Re: Vuln scoring system anyone? Brian Erdelyi (Mar 01)
- Re: Vuln scoring system anyone? Dave Aitel (Feb 28)