Re: Vuln scoring system anyone?

[security curmudgeon <jericho () attrition org>]

: > What if someone posted a Snort signature for a new vuln before a vendor
: > ack'd it? You have no proof that its a valid vulnerability yourself, but you
: > have a detailed advisory from a reputable security researcher and a
: > respected snort sig writer that tested the vulnerability and wrote a
: > signature to monitor for exploitation. 
: > That has to count for something, yes?
: 
: Yes, it counts for something.  However, it's not the sort of easy thing 
: to weight when creating a simplistic scoring system.  It's not a nice 
: easy binary state like "vendor ack".  At best, it gets oversimplified 
: into something like "seen in the wild" or "anecdotal evidence".

Sounds like you improved on their system already. Instead of a binary 
yes/no, having a third option for that seems reasonable.

Again, this goes to an overall system that is really easy to over simply, 
or over complicate, and finding that balance is the trick.

Or making the system more elaborate, but not necessarily more complex. 
What if the system let the vendors assign these simple categories, but let 
vuln databases expand on it and give it a more refined number. Vendors say 
"7 out of 10", Blue Boar reads more about the subject, does a little more 
research and testing, and says "8 out of 10" or gives it a "+1 modifier". 
I don't know, anything more than over simplified systems that we've had 
for ages that didn't cut it then, but are supposed to magically cut it now 
because a handful of vendors with their own interests say it does.

_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
https://lists.immunitysec.com/mailman/listinfo/dailydave