WebApp Sec mailing list archives
Re: RES: rating TRACE
From: Simon Ward <simon () westpoint ltd uk>
Date: Fri, 14 Nov 2014 13:13:07 +0000
On 2014-11-13 11:59, Robin Wood wrote:
Moving from TRACE to more complex or harder to understand bugs just makes this worse and more subjective. I wish I could suggest a way to fix it so everyone was rating based on the same levels. I know some people aren't optimistic about CVSSv3 being able to help fix it, I've not looked at it yet but lets hope it moves us a step closer. Anyone else have any ideas?
Don't use the CVSS base score by itself as a metric. Unfortunately, the scoring in the NVD and standards that require it encourage it.
There was talk about the possibility of "chaining" vulnerabilities in CVSS 3. Each vulnerability would still be given an independent score, but guidance would be given on how to score a vulnerability introduced by combining other vulnerabilities.
Simon This list is sponsored by Cenzic -------------------------------------- Let Us Hack You. Before Hackers Do! It's Finally Here - The Cenzic Website HealthCheck. FREE.Request Yours Now! http://www.cenzic.com/2009HClaunch_Securityfocus
--------------------------------------
Current thread:
- rating TRACE Robin Wood (Nov 12)
- Message not available
- Re: rating TRACE Robin Wood (Nov 12)
- Message not available
- Re: rating TRACE Robin Wood (Nov 12)
- RE: rating TRACE Kenneth Kron (Nov 12)
- Re: rating TRACE Robin Wood (Nov 12)
- Message not available
- Re: rating TRACE Robin Wood (Nov 12)
- Message not available
- Re: RES: rating TRACE Robin Wood (Nov 13)
- Re: RES: rating TRACE Martino Dell'Ambrogio (Nov 13)
- Re: RES: rating TRACE Simon Ward (Nov 14)
- Message not available
- Re: RES: rating TRACE Robin Wood (Nov 14)
- Re: rating TRACE Manolis Mavrofidis (Nov 14)
- Re: rating TRACE Simon Ward (Nov 14)
- Re: rating TRACE Robin Wood (Nov 14)
- Re: rating TRACE Simon Ward (Nov 14)