Dailydave mailing list archives
Re: Vuln scoring system anyone?
From: security curmudgeon <jericho () attrition org>
Date: Tue, 1 Mar 2005 16:00:55 -0500 (EST)
: > What if someone posts to an incident list that they got owned by : > this vuln, but the vendor hasn't ack'd it? : : I wouldn't trust randoms on an incident list to know what : vulnerability caused the incident they are investigating. : : If you see an email to bugtraq saying: : "I found a vuln in SSH." : : And someone else sends an email to incidents: : "I only run SSH and got owned via SSH." : : Then you've got a new confirmed vulnerability? Not hardly. Of course not. But some of the folks on the incidents lists are bright people. If they show traces and logs and supporting evidence that the compromise occured via the same service reported vulnerable days prior, it stands a good chance to be related. What if someone posted a Snort signature for a new vuln before a vendor ack'd it? You have no proof that its a valid vulnerability yourself, but you have a detailed advisory from a reputable security researcher and a respected snort sig writer that tested the vulnerability and wrote a signature to monitor for exploitation. That has to count for something, yes? _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com https://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- Vuln scoring system anyone?, (continued)
- Vuln scoring system anyone? Brian Erdelyi (Feb 28)
- Vuln scoring system anyone? Brian Erdelyi (Feb 28)
- Re: Vuln scoring system anyone? Dave Aitel (Feb 28)
- Re: Vuln scoring system anyone? Brian Erdelyi (Mar 01)
- Re: Vuln scoring system anyone? Dave Aitel (Mar 01)
- Re: Vuln scoring system anyone? Brian Erdelyi (Mar 01)
- Re: Vuln scoring system anyone? Dave Aitel (Mar 01)
- Re: Vuln scoring system anyone? Brian Erdelyi (Mar 01)
- Re: Vuln scoring system anyone? security curmudgeon (Mar 01)
- Re: Vuln scoring system anyone? Brian (Mar 01)
- Re: Vuln scoring system anyone? security curmudgeon (Mar 01)
- Re: Vuln scoring system anyone? Blue Boar (Mar 01)
- Re: Vuln scoring system anyone? security curmudgeon (Mar 01)
- Re: Vuln scoring system anyone? Brian (Mar 01)
- Re: Vuln scoring system anyone? Dave Aitel (Feb 28)
- Re: Vuln scoring system anyone? security curmudgeon (Mar 01)
- Re: Vuln scoring system anyone? Oliv (Mar 02)
- Re: Vuln scoring system anyone? Tom Parker (Mar 02)
- Re: Vuln scoring system anyone? Jason (Mar 02)
- Re: Vuln scoring system anyone? Kurt Seifried (Mar 02)
- RE: Vuln scoring system anyone? Ben Nagy (Mar 03)
- Re: Vuln scoring system anyone? security curmudgeon (Mar 01)