Dailydave mailing list archives
Re: Vuln scoring system anyone?
From: Blue Boar <BlueBoar () thievco com>
Date: Tue, 01 Mar 2005 13:22:14 -0800
security curmudgeon wrote:
What if someone posted a Snort signature for a new vuln before a vendor ack'd it? You have no proof that its a valid vulnerability yourself, but you have a detailed advisory from a reputable security researcher and a respected snort sig writer that tested the vulnerability and wrote a signature to monitor for exploitation.That has to count for something, yes?
Yes, it counts for something. However, it's not the sort of easy thing to weight when creating a simplistic scoring system. It's not a nice easy binary state like "vendor ack". At best, it gets oversimplified into something like "seen in the wild" or "anecdotal evidence".
I'm not saying you don't pay attention to it, I'm just saying it's not simple enough to get included in a lot of ratings schemes. And yes, that's a failing of the rating scheme to not capture and weigh all available information.
BB _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com https://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- Vuln scoring system anyone?, (continued)
- Vuln scoring system anyone? Brian Erdelyi (Feb 28)
- Re: Vuln scoring system anyone? Dave Aitel (Feb 28)
- Re: Vuln scoring system anyone? Brian Erdelyi (Mar 01)
- Re: Vuln scoring system anyone? Dave Aitel (Mar 01)
- Re: Vuln scoring system anyone? Brian Erdelyi (Mar 01)
- Re: Vuln scoring system anyone? Dave Aitel (Mar 01)
- Re: Vuln scoring system anyone? Brian Erdelyi (Mar 01)
- Re: Vuln scoring system anyone? security curmudgeon (Mar 01)
- Re: Vuln scoring system anyone? Brian (Mar 01)
- Re: Vuln scoring system anyone? security curmudgeon (Mar 01)
- Re: Vuln scoring system anyone? Blue Boar (Mar 01)
- Re: Vuln scoring system anyone? security curmudgeon (Mar 01)
- Re: Vuln scoring system anyone? Brian (Mar 01)
- Re: Vuln scoring system anyone? Dave Aitel (Feb 28)
- Vuln scoring system anyone? Brian Erdelyi (Feb 28)
- Re: Vuln scoring system anyone? security curmudgeon (Mar 01)
- Re: Vuln scoring system anyone? Oliv (Mar 02)
- Re: Vuln scoring system anyone? Tom Parker (Mar 02)
- Re: Vuln scoring system anyone? Jason (Mar 02)
- Re: Vuln scoring system anyone? Kurt Seifried (Mar 02)
- RE: Vuln scoring system anyone? Ben Nagy (Mar 03)
- Re: Vuln scoring system anyone? security curmudgeon (Mar 01)
- Re: Vuln scoring system anyone? Frank Knobbe (Mar 01)