Dailydave mailing list archives
Re: Vuln scoring system anyone?
From: Tom Parker <tom () rooted net>
Date: Wed, 2 Mar 2005 19:18:33 +0000 (GMT)
On Wed, 2 Mar 2005, Oliv wrote:
Here is the web app : http://www.vulnerabilite.com/cvss_en/
Well, the basis of most of the theory which CVSS rates vuln severity on seems fairly sound, however I stand by my original point, that there is no mention anywhere, that the perceived asset value needs to be factored in at some point. When you start thinking about vulnerability risk at this level of abstraction, you also need to start thinking about variables associated with the asset. These let you postulate towards other data such as the attack preferences of a would-be attacker exploiting the issue. What is their tolerance to risk, what additional resources does the attacker need to obtain to offset any inhibiting factors associated with a vulnerability (like needing to acquire an elevated level of initial access). If we lived in a world of equals where everyone shared the same resource and knowledge, maybe you could start basing your risk assessment on data like this, but that is obviously not the case. Another thing - if a vendor finds out about an 0day in their product are they going to issue an initial alert, rating the issue as high due to its high impact, lack of fix and the possible presence of a POC in the wild, and then re-rate it once they have fixed it, or just not tell people about it until it's been fixed? If a vendor releases an advisory for an issue that they have fixed, but no POC exists for in the public domain, will they update their advisory when a POC enters the 'public' domain. Don't get me wrong, I think the severity rating is a step in the right direction - but software vendors are in no place to be preaching to folks about remediation urgency/priority/what to eat for lunch. -Tom _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com https://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- Re: Vuln scoring system anyone?, (continued)
- Re: Vuln scoring system anyone? Dave Aitel (Mar 01)
- Re: Vuln scoring system anyone? Brian Erdelyi (Mar 01)
- Re: Vuln scoring system anyone? security curmudgeon (Mar 01)
- Re: Vuln scoring system anyone? Brian (Mar 01)
- Re: Vuln scoring system anyone? security curmudgeon (Mar 01)
- Re: Vuln scoring system anyone? Blue Boar (Mar 01)
- Re: Vuln scoring system anyone? security curmudgeon (Mar 01)
- Re: Vuln scoring system anyone? Brian (Mar 01)
- Re: Vuln scoring system anyone? security curmudgeon (Mar 01)
- Re: Vuln scoring system anyone? Oliv (Mar 02)
- Re: Vuln scoring system anyone? Tom Parker (Mar 02)
- Re: Vuln scoring system anyone? Jason (Mar 02)
- Re: Vuln scoring system anyone? Kurt Seifried (Mar 02)
- RE: Vuln scoring system anyone? Ben Nagy (Mar 03)
- Re: Vuln scoring system anyone? security curmudgeon (Mar 01)
- Re: Vuln scoring system anyone? Frank Knobbe (Mar 01)
- Re: Vuln scoring system anyone? Blue Boar (Mar 01)
- Re: Vuln scoring system anyone? security curmudgeon (Mar 01)