Re: Vuln scoring system anyone?

[Blue Boar <BlueBoar () thievco com>]

Dave Aitel wrote:
> 2. "Report Confidence" as "uncorroborated as "Multiple non-official 
> sources; possibly including independant security companies or research 
> organizations. Then as "Confirmed" as "Vendor has reported/confirmed a 
> problem within it's own product." This is basically reversed. Isn't it 
> Cisco who is calling every vulnerability a DoS and it takes ISS/FX to 
> tell everyone that they are really remote heap overflows which are 
> perfectly well exploitable? This is something Cisco has done even as 
> recently as the BGP vulnerability, if I remember correctly. As a rule, 
> commercial vendors are pretty faulty in this regards.

SecurityFocus used to have (and I assume still does) a "vendor 
confirmed" flag.  It meant that the vendor had looked into it, and 
released some confirmation that there was a problem.

If the vendor says there is a problem in their own code, then it is 
generally safe to assume the problem is real.  As opposed to some 
semi-trustable group with a tendancy to release fake advisories.

And that's about all it meant, that the vendor confirmed "a problem", 
and it didn't get into how exploitable it was.

Yes, some vendors downplay the exploitability of their problems.  Others 
seem to inflate it.  Isn't this the list that was complaining about MS 
calling vulnerabilities "critical" recently?

Anyway, I think you might be reading too much into it by trying to 
attach an "exploitability level" aspect to the "vendor confirmed" field.

                                        BB
_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
https://lists.immunitysec.com/mailman/listinfo/dailydave