Dailydave mailing list archives
Re: Vuln scoring system anyone?
From: "Kurt Seifried" <listuser () seifried org>
Date: Wed, 2 Mar 2005 23:27:42 -0700
I think the real problem is that no matter how good a rating system you come up with, the end user still has to do something. This reminds me of the Code Red/Orange/Yellow/Blue/Green (I think I got that right) thing the DHS does. No-one actually knows what to do in case of a code red. Duck and cover? Flee the city? Stay at home and duct tape/plastic the entire house (did anyone remember to bring the cat in)? Same for a rating system for infosec issues. Level 1-3 means ignore, 4-6 fix in next maintenance window, 7-10 start testing and apply in <1 week or what? But yes, people love "rating numbers" and other metrics even if they are not very well done or largely ignored.
-Kurt
_______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com https://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- Re: Vuln scoring system anyone?, (continued)
- Re: Vuln scoring system anyone? security curmudgeon (Mar 01)
- Re: Vuln scoring system anyone? Brian (Mar 01)
- Re: Vuln scoring system anyone? security curmudgeon (Mar 01)
- Re: Vuln scoring system anyone? Blue Boar (Mar 01)
- Re: Vuln scoring system anyone? security curmudgeon (Mar 01)
- Re: Vuln scoring system anyone? Brian (Mar 01)
- Re: Vuln scoring system anyone? security curmudgeon (Mar 01)
- Re: Vuln scoring system anyone? Oliv (Mar 02)
- Re: Vuln scoring system anyone? Tom Parker (Mar 02)
- Re: Vuln scoring system anyone? Jason (Mar 02)
- Re: Vuln scoring system anyone? Kurt Seifried (Mar 02)
- RE: Vuln scoring system anyone? Ben Nagy (Mar 03)
- Re: Vuln scoring system anyone? security curmudgeon (Mar 01)
- Re: Vuln scoring system anyone? Frank Knobbe (Mar 01)
- Re: Vuln scoring system anyone? Blue Boar (Mar 01)
- Re: Vuln scoring system anyone? security curmudgeon (Mar 01)