Dailydave mailing list archives
Re: Vuln scoring system anyone?
From: Dave Aitel <dave () immunitysec com>
Date: Tue, 01 Mar 2005 11:18:14 -0500
Brian Erdelyi wrote:
I just think it was a bit confusing when presented without supporting text. Maybe you could make it a web app instead of a Excel spreadsheet. :>Ok, well now that I've read the report, I can comment on it: 1. It turns out "access complexity" means "raceconditions or client side vulns"I didn't try to be too narrow with my interpretation of Access Complexity, I think it's a great term. One of my personal beefs is that some people neglect to differentiate between the level of access required to exploit the vulnerability. If authentication is required, is admin/root privileges required to exploit it? To exploit the vuln does it require user interaction? Maybe this is what you mean by "race condition or client side vuln"?
Hmm. I guess my point here is that vendors are very bad places to get your vulnerability information. When we release a WINS overflow, and it works, that means there's 100% chance of an exploitable vulnerability. Microsoft won't acknowledge that until they have a patch, which games the system a bit. When Cisco releases an advisory on BGP saying it's a DoS, that's misleading. Etc.2. "Report Confidence" as "uncorroborated as"Multiple non-official sources; possibly including independant security companies or research organizations. Then as "Confirmed" as "Vendor has reported/confirmed a problem within it's own product." This is basicallyI think that may be a more intuitive distintion. I don't think it's reversed since it is intended that the vendor confirm it. Personally, I would refer to "Impact Bias" as "Impact Priority".
The other thing that wasn't answered for me by the presentations was: What makes this set to metrics more special than other metrics? Is it just buy in from the vendors? Is there some sort of test we can run that will demonstrate it's usefulness over others?
-dave _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com https://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- Re: Vuln scoring system anyone? security curmudgeon (Feb 26)
- Re: Vuln scoring system anyone? Adam Shostack (Feb 28)
- <Possible follow-ups>
- RE: Vuln scoring system anyone? Kevin Greene (Feb 26)
- Vuln scoring system anyone? Brian Erdelyi (Feb 28)
- Vuln scoring system anyone? Brian Erdelyi (Feb 28)
- Re: Vuln scoring system anyone? Dave Aitel (Feb 28)
- Re: Vuln scoring system anyone? Brian Erdelyi (Mar 01)
- Re: Vuln scoring system anyone? Dave Aitel (Mar 01)
- Re: Vuln scoring system anyone? Brian Erdelyi (Mar 01)
- Re: Vuln scoring system anyone? Dave Aitel (Mar 01)
- Re: Vuln scoring system anyone? Brian Erdelyi (Mar 01)
- Re: Vuln scoring system anyone? security curmudgeon (Mar 01)
- Re: Vuln scoring system anyone? Brian (Mar 01)
- Re: Vuln scoring system anyone? security curmudgeon (Mar 01)
- Re: Vuln scoring system anyone? Blue Boar (Mar 01)
- Re: Vuln scoring system anyone? security curmudgeon (Mar 01)
- Re: Vuln scoring system anyone? Brian (Mar 01)
- Re: Vuln scoring system anyone? Dave Aitel (Feb 28)
- Re: Vuln scoring system anyone? security curmudgeon (Mar 01)
- Re: Vuln scoring system anyone? Oliv (Mar 02)
- Re: Vuln scoring system anyone? Tom Parker (Mar 02)