Dailydave mailing list archives

Re: Vuln scoring system anyone?

From: security curmudgeon <jericho () attrition org>
Date: Tue, 1 Mar 2005 15:42:17 -0500 (EST)



: SecurityFocus used to have (and I assume still does) a "vendor 
: confirmed" flag.  It meant that the vendor had looked into it, and 
: released some confirmation that there was a problem.
: 
: If the vendor says there is a problem in their own code, then it is 
: generally safe to assume the problem is real.  As opposed to some 
: semi-trustable group with a tendancy to release fake advisories.

OSVDB uses this flag as well. We have extended the 'confirmation' to also 
include something we have personally tested, and will sometimes flag it 
depending on the source of the vulnerability. The main time it gets the 
flag is for vendor confirmation in the form of advisory, release notes, 
changelog, news update, etc.

_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
https://lists.immunitysec.com/mailman/listinfo/dailydave

Current thread:

Re: Vuln scoring system anyone?, (continued)
- - - Re: Vuln scoring system anyone? Brian (Mar 01)
    - Re: Vuln scoring system anyone? security curmudgeon (Mar 01)
    - Re: Vuln scoring system anyone? Oliv (Mar 02)
    - Re: Vuln scoring system anyone? Tom Parker (Mar 02)
    - Re: Vuln scoring system anyone? Jason (Mar 02)
    - Re: Vuln scoring system anyone? Kurt Seifried (Mar 02)
    - RE: Vuln scoring system anyone? Ben Nagy (Mar 03)
    - Re: Vuln scoring system anyone? security curmudgeon (Mar 01)
    - Re: Vuln scoring system anyone? Frank Knobbe (Mar 01)
    - Re: Vuln scoring system anyone? Blue Boar (Mar 01)
    - Re: Vuln scoring system anyone? security curmudgeon (Mar 01)
- RE: Vuln scoring system anyone? Brian Erdelyi (Mar 01)
- Re: Vuln scoring system anyone? Brian Erdelyi (Mar 01)
- Re: Vuln scoring system anyone? Brian Erdelyi (Mar 01)