Dailydave mailing list archives
Re: Vuln scoring system anyone?
From: security curmudgeon <jericho () attrition org>
Date: Tue, 1 Mar 2005 15:40:11 -0500 (EST)
: > Hmm. I guess my point here is that vendors are very : > bad places to get : > your vulnerability information. When we release a : : Assuming base score of 10. No patch and vuln is not : acknowledged by vendors. : Exploitability High : Remediation Level Unavailable : Report Confidence Uncorroborated : Temporal Score 9.5 And what if Dave Aitel posts to a list saying he confirmed the findings of eEye? To security researchers that have historically demonstrated accuracy in vulnerability reports is corroborated to me. Will the vendors see it that way? What if someone posts to an incident list that they got owned by this vuln, but the vendor hasn't ack'd it? : Once patched by vendor: : Exploitability High : Remediation Level Official Fix : Report Confidence Confirmed : Temporal Score 8.7 What if the patch is available but breaks other functions. Admins can install it and remediate the problem while breaking a required protocol, or they can remain vulnerable and functional. Does this system deal with such cases? How will Microsoft label it? "We have a patch out" and lower the rating. : Vendor support and an open methodology are significant differentiators. : I think it's too soon to test it's usefulness over others. Considering : the media attention it's been getting this can help improve awaress and : adoption. I expect vendors of vulnerability assessment tools will be : quick to incorporate this score. I'm curious why more vendors of vulnerability assessment tools weren't recruited to participate. They understand the risks better than the vendors usually, and have nothing to gain by downplaying it. Hell, they would likely be more prone to give it the worst score (within reason) as it benefits their market. This would create a nasty balance between the two. =) _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com https://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- Re: Vuln scoring system anyone?, (continued)
- Re: Vuln scoring system anyone? Adam Shostack (Feb 28)
- RE: Vuln scoring system anyone? Kevin Greene (Feb 26)
- Vuln scoring system anyone? Brian Erdelyi (Feb 28)
- Vuln scoring system anyone? Brian Erdelyi (Feb 28)
- Re: Vuln scoring system anyone? Dave Aitel (Feb 28)
- Re: Vuln scoring system anyone? Brian Erdelyi (Mar 01)
- Re: Vuln scoring system anyone? Dave Aitel (Mar 01)
- Re: Vuln scoring system anyone? Brian Erdelyi (Mar 01)
- Re: Vuln scoring system anyone? Dave Aitel (Mar 01)
- Re: Vuln scoring system anyone? Brian Erdelyi (Mar 01)
- Re: Vuln scoring system anyone? security curmudgeon (Mar 01)
- Re: Vuln scoring system anyone? Brian (Mar 01)
- Re: Vuln scoring system anyone? security curmudgeon (Mar 01)
- Re: Vuln scoring system anyone? Blue Boar (Mar 01)
- Re: Vuln scoring system anyone? security curmudgeon (Mar 01)
- Re: Vuln scoring system anyone? Brian (Mar 01)
- Re: Vuln scoring system anyone? Dave Aitel (Feb 28)
- Re: Vuln scoring system anyone? security curmudgeon (Mar 01)
- Re: Vuln scoring system anyone? Oliv (Mar 02)
- Re: Vuln scoring system anyone? Tom Parker (Mar 02)
- Re: Vuln scoring system anyone? Jason (Mar 02)
- Re: Vuln scoring system anyone? Kurt Seifried (Mar 02)