Dailydave mailing list archives

Re: Vuln scoring system anyone?

From: security curmudgeon <jericho () attrition org>
Date: Tue, 1 Mar 2005 15:40:11 -0500 (EST)


: > Hmm. I guess my point here is that vendors are very
: > bad places to get 
: > your vulnerability information. When we release a
: 
: Assuming base score of 10.  No patch and vuln is not
: acknowledged by vendors.
: Exploitability        High
: Remediation Level     Unavailable
: Report Confidence     Uncorroborated
: Temporal Score        9.5

And what if Dave Aitel posts to a list saying he confirmed the findings of 
eEye? To security researchers that have historically demonstrated accuracy 
in vulnerability reports is corroborated to me. Will the vendors see it 
that way? What if someone posts to an incident list that they got owned by 
this vuln, but the vendor hasn't ack'd it?

: Once patched by vendor:
: Exploitability        High
: Remediation Level     Official Fix
: Report Confidence     Confirmed
: Temporal Score        8.7

What if the patch is available but breaks other functions. Admins can 
install it and remediate the problem while breaking a required protocol, 
or they can remain vulnerable and functional. Does this system deal with 
such cases? How will Microsoft label it? "We have a patch out" and lower 
the rating.

: Vendor support and an open methodology are significant differentiators.  
: I think it's too soon to test it's usefulness over others.  Considering 
: the media attention it's been getting this can help improve awaress and 
: adoption.  I expect vendors of vulnerability assessment tools will be 
: quick to incorporate this score.

I'm curious why more vendors of vulnerability assessment tools weren't 
recruited to participate. They understand the risks better than the 
vendors usually, and have nothing to gain by downplaying it. Hell, they 
would likely be more prone to give it the worst score (within reason) as 
it benefits their market. This would create a nasty balance between the 
two. =)

_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
https://lists.immunitysec.com/mailman/listinfo/dailydave

Current thread:

Re: Vuln scoring system anyone?, (continued)
- Re: Vuln scoring system anyone? Adam Shostack (Feb 28)
- RE: Vuln scoring system anyone? Kevin Greene (Feb 26)
- Vuln scoring system anyone? Brian Erdelyi (Feb 28)
- Vuln scoring system anyone? Brian Erdelyi (Feb 28)
  - Re: Vuln scoring system anyone? Dave Aitel (Feb 28)
    - Re: Vuln scoring system anyone? Brian Erdelyi (Mar 01)
    - Re: Vuln scoring system anyone? Dave Aitel (Mar 01)
    - Re: Vuln scoring system anyone? Brian Erdelyi (Mar 01)
    - Re: Vuln scoring system anyone? Dave Aitel (Mar 01)
    - Re: Vuln scoring system anyone? Brian Erdelyi (Mar 01)
    - Re: Vuln scoring system anyone? security curmudgeon (Mar 01)
    - Re: Vuln scoring system anyone? Brian (Mar 01)
    - Re: Vuln scoring system anyone? security curmudgeon (Mar 01)
    - Re: Vuln scoring system anyone? Blue Boar (Mar 01)
    - Re: Vuln scoring system anyone? security curmudgeon (Mar 01)
    - Re: Vuln scoring system anyone? Brian (Mar 01)
    - Re: Vuln scoring system anyone? security curmudgeon (Mar 01)
    - Re: Vuln scoring system anyone? Oliv (Mar 02)
    - Re: Vuln scoring system anyone? Tom Parker (Mar 02)
    - Re: Vuln scoring system anyone? Jason (Mar 02)
    - Re: Vuln scoring system anyone? Kurt Seifried (Mar 02)

(Thread continues...)