Vulnerability Development mailing list archives

Re: Exploit Ease Level

From: vision () WHITEHATS COM (Max Vision)
Date: Wed, 26 Apr 2000 20:26:47 -0700


On Tue, 25 Apr 2000, Rory Savage wrote:

I wish there was an `Exploit Ease Refrence Level`, so when one posts an
exploit, they would also post an `Easebility` level to let others know
if it's an easy trick, or a drawn-out project that involves alot of
time.  This is just a suggestion, but I think it would really work out well,
especially for these mailing lists. But I know I am farting in the wind
again... and nobody cares... but in a few months, somebody will steal my
idea anyway (and call it their own).

In fact, I just might draft up a proposal... and see that the `scene`
think about it.

Cheers!

Rory,

This is actually a really old idea that has been around at least in
commercial security scanners (such as Ballista/Cybercop) for some number
of years (sometimes refered to as "complexity").  I believe several
security groups are working these sorts of values into metrics of overall
risk levels for various vulnerabilities (alongside impact, popularity,
ease of fix, etc) - so when a hole is found, it gets a certain score for
these traits and an overall threat level is determined.

IMHO many times these values are dangerously wrong and can lead to
problems.  In some products I've seen "ease of exploit" listed as very
complex when I know it to be push-button easy.

Max

Current thread:

Re: Securax Security Advisory: Windows98 contains a seriousbuffer overflow with long filenameextensions. LiGHTNiNG (Apr 24)
- Re: Securax Security Advisory: Windows98 contains a seriousbufferoverflow with long filenameextensions. Markus Kern (Apr 25)
- <Possible follow-ups>
- Re: Securax Security Advisory: Windows98 contains a seriousbuffer overflow with long filenameextensions. Schockaert, Rudy (Apr 24)
  - Netaddress and amexmail Arturo Busleiman (Apr 25)
    - Re: Netaddress and amexmail Fabio Pietrosanti (Apr 27)
    - Re: Netaddress and amexmail Blue Boar (Apr 27)
    - Re: Netaddress and amexmail Marc Slemko (Apr 28)
    - Re: Netaddress and amexmail Arturo Busleiman (Apr 28)
    - Re: Netaddress and amexmail Stone (Apr 27)
  - Exploit Ease Level Rory Savage (Apr 25)
    - Re: Exploit Ease Level Max Vision (Apr 26)
    - Re: Exploit Ease Level Rory Savage (Apr 28)
    - Using php to bounce scan Thiebaut (Apr 28)
    - Re: Using php to bounce scan Omachonu Ogali (Apr 28)
    - Re: Using php to bounce scan Thiebaut (Apr 30)
    - corrupted link JklojLrnzn () AOL COM (Apr 30)
    - Re: Using php to bounce scan Matt Rae (Apr 30)
    - Re: Using php to bounce scan Thiebaut (Apr 30)
    - Re: Exploit Ease Level Max Vision (Apr 28)
    - Re: Exploit Ease Level jms (Apr 29)
    - Re: Exploit Ease Level Rory Savage (Apr 29)

(Thread continues...)