Re: Vuln scoring system anyone?

[security curmudgeon <jericho () attrition org>]

: > In general, my gut reaction is "why the hype?" I've done extensive 
: ....
: > scoring really do that high/medium/low doesn't? Does a 1 to 10 style 
: > system add value? 1 to 100? At what point does it get too obscure or too 
: > granulated to be helpful?
: ... 
: > The fact that these vendors are leading the initiative scares me. These 
: > are the same ones that intentionally or ignorantly labeled remote code 
: 
: It is *only* the fact that major vendors are leading this that makes it 
: valuable. While I'm skeptical of any rating system's applicability to my 
: own circumstances, I *would* appreciate having vendor releases come out 
: on the same scale - even if that scale is meaningless outside of it's 
: own context.  *I* might know the difference, but having people call me 
: up asking why company A calls X a "High", but company B calls it a 
: "Medium" can be a huge headache.

Err, ok, then why support this? It will cause the same headache.

You say if all the vendors agree an issue is 'High Risk', less headache. 
However, if those vendors agree an issue is 'Medium Risk', and security 
folks at CVE or OSVDB or Secunia or SecurityTracker or ISS or 
SecurityFocus or [..] say "No, this is High Risk", you have the same 
problem. Customers will see two ratings, questions ensue.

Consider that while many people will get information from these vendors 
first, many others will not. They get their information from vulnerability 
alert services (Secunia, SecurityTracker, etc). That is the first 
information they see, and their rating is often the determination for how 
an organization reacts immediately.
_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
https://lists.immunitysec.com/mailman/listinfo/dailydave