Re: Vulnebrability level definition

[Per Niila Albinsson <per () same net>]

Hi

From a vendor point of view I agree there is a difference. Though the 
complexity of exploiting a certain vulnerability would probably be a good 
indicator for the probability classification.A vendor can only give a very 
generic answer to these questions.

When I suggested to take the probability in count I was targeting a scenario 
where a consultant will make a penetration test and present the result for 
the customers.
/Per Niila

> Amen to this. My personal belief is that one can not say what is the
> severity of a bug. It all depends on how the equipment is used. It
> may not be much about if it is a large network or not but if that
> feature is used. Another question is "What is worth of your data?".
> If some bug will expose something that is public anyway then it
> boils down a nuisance. If it will expose your confidential data then
> it is very serious indeed. The vendor can not know how a particular
> feature will be used in a customer's environment. Yes, a vendor may
> have some idea but, is it valid in all cases?
>
> Gaus

----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/