Re: Vuln scoring system anyone?

[Tom Parker <tom () rooted net>]

On Wed, 2 Mar 2005, Oliv wrote:

> Here is the web app : http://www.vulnerabilite.com/cvss_en/

Well, the basis of most of the theory which CVSS rates vuln severity
on seems fairly sound, however I stand by my original point, that there
is no mention anywhere, that the perceived asset value needs to be
factored in at some point.

When you start thinking about vulnerability risk at this level of
abstraction, you also need to start thinking about variables associated
with the asset. These let you postulate towards other data such as the
attack preferences of a would-be attacker exploiting the issue. What
is their tolerance to risk, what additional resources does the
attacker need to obtain to offset any inhibiting factors associated
with a vulnerability (like needing to acquire an elevated level of
initial access). If we lived in a world of equals where everyone
shared the same resource and knowledge, maybe you could start basing
your risk assessment on data like this, but that is obviously not the
case.

Another thing - if a vendor finds out about an 0day in their product
are they going to issue an initial alert, rating the issue as high
due to its high impact, lack of fix and the possible presence of a
POC in the wild, and then re-rate it once they have fixed it, or
just not tell people about it until it's been fixed? If a vendor
releases an advisory for an issue that they have fixed, but no POC
exists for in the public domain, will they update their advisory when
a POC enters the 'public' domain.

Don't get me wrong, I think the severity rating is a step in the right
direction - but software vendors are in no place to be preaching to
folks about remediation urgency/priority/what to eat for lunch.

-Tom

_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
https://lists.immunitysec.com/mailman/listinfo/dailydave