Dailydave mailing list archives
Re: Vuln scoring system anyone?
From: Brian Erdelyi <brian_erdelyi () yahoo com>
Date: Tue, 1 Mar 2005 07:49:40 -0800 (PST)
Ok, well now that I've read the report, I can comment on it: 1. It turns out "access complexity" means "race conditions or client side vulns"
I didn't try to be too narrow with my interpretation of Access Complexity, I think it's a great term. One of my personal beefs is that some people neglect to differentiate between the level of access required to exploit the vulnerability. If authentication is required, is admin/root privileges required to exploit it? To exploit the vuln does it require user interaction? Maybe this is what you mean by "race condition or client side vuln"?
2. "Report Confidence" as "uncorroborated as "Multiple non-official sources; possibly including independant security companies or research organizations. Then as "Confirmed" as "Vendor has reported/confirmed a problem within it's own product." This is basically
I think that may be a more intuitive distintion. I don't think it's reversed since it is intended that the vendor confirm it. Personally, I would refer to "Impact Bias" as "Impact Priority". As with any scoring system there is potential for misuse and errors. I created the calculator do illustrate how CVSS works and to do what-if scenarios. DoS Vuln: Access Vector Remote Access Complexity Low Authentication Not Required Confidentiality Impact None Integrity Impact None Availability Impact Complete Impact Bias Availability Base Score 5 Buffer Overflow: Access Vector Remote Access Complexity Low Authentication Not Required Confidentiality Impact None Integrity Impact Complete Availability Impact Complete Impact Bias Integrity Base Score 7.5 Does that describe the scenario you mean? In this case base score can vary by 2.5. Regards, Brian Erdelyi __________________________________ Do you Yahoo!? Yahoo! Mail - 250MB free storage. Do more. Manage less. http://info.mail.yahoo.com/mail_250 _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com https://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- Re: Vuln scoring system anyone? security curmudgeon (Feb 26)
- Re: Vuln scoring system anyone? Adam Shostack (Feb 28)
- <Possible follow-ups>
- RE: Vuln scoring system anyone? Kevin Greene (Feb 26)
- Vuln scoring system anyone? Brian Erdelyi (Feb 28)
- Vuln scoring system anyone? Brian Erdelyi (Feb 28)
- Re: Vuln scoring system anyone? Dave Aitel (Feb 28)
- Re: Vuln scoring system anyone? Brian Erdelyi (Mar 01)
- Re: Vuln scoring system anyone? Dave Aitel (Mar 01)
- Re: Vuln scoring system anyone? Brian Erdelyi (Mar 01)
- Re: Vuln scoring system anyone? Dave Aitel (Mar 01)
- Re: Vuln scoring system anyone? Brian Erdelyi (Mar 01)
- Re: Vuln scoring system anyone? security curmudgeon (Mar 01)
- Re: Vuln scoring system anyone? Brian (Mar 01)
- Re: Vuln scoring system anyone? security curmudgeon (Mar 01)
- Re: Vuln scoring system anyone? Blue Boar (Mar 01)
- Re: Vuln scoring system anyone? security curmudgeon (Mar 01)
- Re: Vuln scoring system anyone? Brian (Mar 01)
- Re: Vuln scoring system anyone? Dave Aitel (Feb 28)
- Re: Vuln scoring system anyone? security curmudgeon (Mar 01)
- Re: Vuln scoring system anyone? Oliv (Mar 02)