Dailydave mailing list archives
Re: Vuln scoring system anyone?
From: Dave Aitel <dave () immunitysec com>
Date: Tue, 01 Mar 2005 09:46:00 -0500
Ok, well now that I've read the report, I can comment on it:1. It turns out "access complexity" means "race conditions or client side vulns" 2. "Report Confidence" as "uncorroborated as "Multiple non-official sources; possibly including independant security companies or research organizations. Then as "Confirmed" as "Vendor has reported/confirmed a problem within it's own product." This is basically reversed. Isn't it Cisco who is calling every vulnerability a DoS and it takes ISS/FX to tell everyone that they are really remote heap overflows which are perfectly well exploitable? This is something Cisco has done even as recently as the BGP vulnerability, if I remember correctly. As a rule, commercial vendors are pretty faulty in this regards.
-dave Brian Erdelyi wrote:
The tool I created follows the CVSS report published at www.dhs.gov/niac. Here you can see details about the variables and the formula. I'm going to post the MS Excel version in a few hours. Regards, Brian Erdelyi __________________________________________________ Do You Yahoo!?Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
_______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com https://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- Re: Vuln scoring system anyone? security curmudgeon (Feb 26)
- Re: Vuln scoring system anyone? Adam Shostack (Feb 28)
- <Possible follow-ups>
- RE: Vuln scoring system anyone? Kevin Greene (Feb 26)
- Vuln scoring system anyone? Brian Erdelyi (Feb 28)
- Vuln scoring system anyone? Brian Erdelyi (Feb 28)
- Re: Vuln scoring system anyone? Dave Aitel (Feb 28)
- Re: Vuln scoring system anyone? Brian Erdelyi (Mar 01)
- Re: Vuln scoring system anyone? Dave Aitel (Mar 01)
- Re: Vuln scoring system anyone? Brian Erdelyi (Mar 01)
- Re: Vuln scoring system anyone? Dave Aitel (Mar 01)
- Re: Vuln scoring system anyone? Brian Erdelyi (Mar 01)
- Re: Vuln scoring system anyone? security curmudgeon (Mar 01)
- Re: Vuln scoring system anyone? Brian (Mar 01)
- Re: Vuln scoring system anyone? security curmudgeon (Mar 01)
- Re: Vuln scoring system anyone? Blue Boar (Mar 01)
- Re: Vuln scoring system anyone? security curmudgeon (Mar 01)
- Re: Vuln scoring system anyone? Brian (Mar 01)
- Re: Vuln scoring system anyone? Dave Aitel (Feb 28)
- Re: Vuln scoring system anyone? security curmudgeon (Mar 01)