Re: Vuln scoring system anyone?

[Dave Aitel <dave () immunitysec com>]

Ok, well now that I've read the report, I can comment on it:
1. It turns out "access complexity" means "race conditions or client 
side vulns"
2. "Report Confidence" as "uncorroborated as "Multiple non-official 
sources; possibly including independant security companies or research 
organizations. Then as "Confirmed" as "Vendor has reported/confirmed a 
problem within it's own product." This is basically reversed. Isn't it 
Cisco who is calling every vulnerability a DoS and it takes ISS/FX to 
tell everyone that they are really remote heap overflows which are 
perfectly well exploitable? This is something Cisco has done even as 
recently as the BGP vulnerability, if I remember correctly. As a rule, 
commercial vendors are pretty faulty in this regards.

-dave

Brian Erdelyi wrote:

> The tool I created follows the CVSS report published
> at www.dhs.gov/niac.  Here you can see details about
> the variables and the formula.
>
> I'm going to post the MS Excel version in a few hours.
>
> Regards,
> Brian Erdelyi
>
>
>
> __________________________________________________
> Do You Yahoo!?
> Tired of spam?  Yahoo! Mail has the best spam protection around 
> http://mail.yahoo.com 
>  


_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
https://lists.immunitysec.com/mailman/listinfo/dailydave