Dailydave mailing list archives
Re: Vuln scoring system anyone?
From: Blue Boar <BlueBoar () thievco com>
Date: Tue, 01 Mar 2005 11:03:43 -0800
Dave Aitel wrote:
2. "Report Confidence" as "uncorroborated as "Multiple non-official sources; possibly including independant security companies or research organizations. Then as "Confirmed" as "Vendor has reported/confirmed a problem within it's own product." This is basically reversed. Isn't it Cisco who is calling every vulnerability a DoS and it takes ISS/FX to tell everyone that they are really remote heap overflows which are perfectly well exploitable? This is something Cisco has done even as recently as the BGP vulnerability, if I remember correctly. As a rule, commercial vendors are pretty faulty in this regards.
SecurityFocus used to have (and I assume still does) a "vendor confirmed" flag. It meant that the vendor had looked into it, and released some confirmation that there was a problem.
If the vendor says there is a problem in their own code, then it is generally safe to assume the problem is real. As opposed to some semi-trustable group with a tendancy to release fake advisories.
And that's about all it meant, that the vendor confirmed "a problem", and it didn't get into how exploitable it was.
Yes, some vendors downplay the exploitability of their problems. Others seem to inflate it. Isn't this the list that was complaining about MS calling vulnerabilities "critical" recently?
Anyway, I think you might be reading too much into it by trying to attach an "exploitability level" aspect to the "vendor confirmed" field.
BB _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com https://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- Re: Vuln scoring system anyone?, (continued)
- Re: Vuln scoring system anyone? security curmudgeon (Mar 01)
- Re: Vuln scoring system anyone? Brian (Mar 01)
- Re: Vuln scoring system anyone? security curmudgeon (Mar 01)
- Re: Vuln scoring system anyone? Oliv (Mar 02)
- Re: Vuln scoring system anyone? Tom Parker (Mar 02)
- Re: Vuln scoring system anyone? Jason (Mar 02)
- Re: Vuln scoring system anyone? Kurt Seifried (Mar 02)
- RE: Vuln scoring system anyone? Ben Nagy (Mar 03)
- Re: Vuln scoring system anyone? security curmudgeon (Mar 01)
- Re: Vuln scoring system anyone? Frank Knobbe (Mar 01)
- Re: Vuln scoring system anyone? Blue Boar (Mar 01)
- Re: Vuln scoring system anyone? security curmudgeon (Mar 01)