Dailydave mailing list archives
Re: Vuln scoring system anyone?
From: security curmudgeon <jericho () attrition org>
Date: Tue, 1 Mar 2005 18:29:12 -0500 (EST)
: > What if someone posted a Snort signature for a new vuln before a vendor : > ack'd it? You have no proof that its a valid vulnerability yourself, but you : > have a detailed advisory from a reputable security researcher and a : > respected snort sig writer that tested the vulnerability and wrote a : > signature to monitor for exploitation. : > That has to count for something, yes? : : Yes, it counts for something. However, it's not the sort of easy thing : to weight when creating a simplistic scoring system. It's not a nice : easy binary state like "vendor ack". At best, it gets oversimplified : into something like "seen in the wild" or "anecdotal evidence". Sounds like you improved on their system already. Instead of a binary yes/no, having a third option for that seems reasonable. Again, this goes to an overall system that is really easy to over simply, or over complicate, and finding that balance is the trick. Or making the system more elaborate, but not necessarily more complex. What if the system let the vendors assign these simple categories, but let vuln databases expand on it and give it a more refined number. Vendors say "7 out of 10", Blue Boar reads more about the subject, does a little more research and testing, and says "8 out of 10" or gives it a "+1 modifier". I don't know, anything more than over simplified systems that we've had for ages that didn't cut it then, but are supposed to magically cut it now because a handful of vendors with their own interests say it does. _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com https://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- Re: Vuln scoring system anyone?, (continued)
- Re: Vuln scoring system anyone? Dave Aitel (Feb 28)
- Re: Vuln scoring system anyone? Brian Erdelyi (Mar 01)
- Re: Vuln scoring system anyone? Dave Aitel (Mar 01)
- Re: Vuln scoring system anyone? Brian Erdelyi (Mar 01)
- Re: Vuln scoring system anyone? Dave Aitel (Mar 01)
- Re: Vuln scoring system anyone? Brian Erdelyi (Mar 01)
- Re: Vuln scoring system anyone? security curmudgeon (Mar 01)
- Re: Vuln scoring system anyone? Brian (Mar 01)
- Re: Vuln scoring system anyone? security curmudgeon (Mar 01)
- Re: Vuln scoring system anyone? Blue Boar (Mar 01)
- Re: Vuln scoring system anyone? security curmudgeon (Mar 01)
- Re: Vuln scoring system anyone? Brian (Mar 01)
- Re: Vuln scoring system anyone? Dave Aitel (Feb 28)
- Re: Vuln scoring system anyone? security curmudgeon (Mar 01)
- Re: Vuln scoring system anyone? Oliv (Mar 02)
- Re: Vuln scoring system anyone? Tom Parker (Mar 02)
- Re: Vuln scoring system anyone? Jason (Mar 02)
- Re: Vuln scoring system anyone? Kurt Seifried (Mar 02)
- RE: Vuln scoring system anyone? Ben Nagy (Mar 03)
- Re: Vuln scoring system anyone? security curmudgeon (Mar 01)
- Re: Vuln scoring system anyone? Frank Knobbe (Mar 01)
- Re: Vuln scoring system anyone? Blue Boar (Mar 01)