Dailydave mailing list archives

Re: Vuln scoring system anyone?

From: Oliv <odevaux () gmail com>
Date: Wed, 2 Mar 2005 10:40:25 -0800

Here is the web app : http://www.vulnerabilite.com/cvss_en/

Oliv

On Tue, 01 Mar 2005 11:18:14 -0500, Dave Aitel <dave () immunitysec com> wrote:

Brian Erdelyi wrote:

Ok, well now that I've read the report, I can
comment on it:
1. It turns out "access complexity" means "race
conditions or client
side vulns"


I didn't try to be too narrow with my interpretation
of Access Complexity, I think it's a great term.  One
of my personal beefs is that some people neglect to
differentiate between the level of access required to
exploit the vulnerability.  If authentication is
required, is admin/root privileges required to exploit
it?  To exploit the vuln does it require user
interaction?  Maybe this is what you mean by "race
condition or client side vuln"?

I just think it was a bit confusing when presented without supporting
text. Maybe you could make it a web app instead of a Excel spreadsheet. :>

2. "Report Confidence" as "uncorroborated as
"Multiple non-official
sources; possibly including independant security
companies or research
organizations. Then as "Confirmed" as "Vendor has
reported/confirmed a
problem within it's own product." This is basically


I think that may be a more intuitive distintion.  I
don't think it's reversed since it is intended that
the vendor confirm it.

Personally, I would refer to "Impact Bias" as "Impact
Priority".

Hmm. I guess my point here is that vendors are very bad places to get
your vulnerability information. When we release a WINS overflow, and it
works, that means there's 100% chance of an exploitable vulnerability.
Microsoft won't acknowledge that until they have a patch, which games
the system a bit. When Cisco releases an advisory on BGP saying it's a
DoS, that's misleading. Etc.

The other thing that wasn't answered for me by the presentations was:
What makes this set to metrics more special than other metrics? Is it
just buy in from the vendors? Is there some sort of test we can run that
will demonstrate it's usefulness over others?


-dave


_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
https://lists.immunitysec.com/mailman/listinfo/dailydave

_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
https://lists.immunitysec.com/mailman/listinfo/dailydave

Current thread:

Re: Vuln scoring system anyone?, (continued)
- - - Re: Vuln scoring system anyone? Brian Erdelyi (Mar 01)
    - Re: Vuln scoring system anyone? Dave Aitel (Mar 01)
    - Re: Vuln scoring system anyone? Brian Erdelyi (Mar 01)
    - Re: Vuln scoring system anyone? security curmudgeon (Mar 01)
    - Re: Vuln scoring system anyone? Brian (Mar 01)
    - Re: Vuln scoring system anyone? security curmudgeon (Mar 01)
    - Re: Vuln scoring system anyone? Blue Boar (Mar 01)
    - Re: Vuln scoring system anyone? security curmudgeon (Mar 01)
    - Re: Vuln scoring system anyone? Brian (Mar 01)
    - Re: Vuln scoring system anyone? security curmudgeon (Mar 01)
    - Re: Vuln scoring system anyone? Oliv (Mar 02)
    - Re: Vuln scoring system anyone? Tom Parker (Mar 02)
    - Re: Vuln scoring system anyone? Jason (Mar 02)
    - Re: Vuln scoring system anyone? Kurt Seifried (Mar 02)
    - RE: Vuln scoring system anyone? Ben Nagy (Mar 03)
    - Re: Vuln scoring system anyone? security curmudgeon (Mar 01)
    - Re: Vuln scoring system anyone? Frank Knobbe (Mar 01)
    - Re: Vuln scoring system anyone? Blue Boar (Mar 01)
    - Re: Vuln scoring system anyone? security curmudgeon (Mar 01)
- RE: Vuln scoring system anyone? Brian Erdelyi (Mar 01)
- Re: Vuln scoring system anyone? Brian Erdelyi (Mar 01)

(Thread continues...)