|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: [Dailydave] Vuln scoring system anyone?
From: Brian Erdelyi (brian_erdelyi
yahoo.com)
Date: Tue Mar 01 2005 - 09:49:40 CST
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
> Ok, well now that I've read the report, I can
> comment on it:
> 1. It turns out "access complexity" means "race
> conditions or client
> side vulns"
I didn't try to be too narrow with my interpretation
of Access Complexity, I think it's a great term. One
of my personal beefs is that some people neglect to
differentiate between the level of access required to
exploit the vulnerability. If authentication is
required, is admin/root privileges required to exploit
it? To exploit the vuln does it require user
interaction? Maybe this is what you mean by "race
condition or client side vuln"?
> 2. "Report Confidence" as "uncorroborated as
> "Multiple non-official
> sources; possibly including independant security
> companies or research
> organizations. Then as "Confirmed" as "Vendor has
> reported/confirmed a
> problem within it's own product." This is basically
I think that may be a more intuitive distintion. I
don't think it's reversed since it is intended that
the vendor confirm it.
Personally, I would refer to "Impact Bias" as "Impact
Priority".
As with any scoring system there is potential for
misuse and errors. I created the calculator do
illustrate how CVSS works and to do what-if scenarios.
DoS Vuln:
Access Vector Remote
Access Complexity Low
Authentication Not Required
Confidentiality Impact None
Integrity Impact None
Availability Impact Complete
Impact Bias Availability
Base Score 5
Buffer Overflow:
Access Vector Remote
Access Complexity Low
Authentication Not Required
Confidentiality Impact None
Integrity Impact Complete
Availability Impact Complete
Impact Bias Integrity
Base Score 7.5
Does that describe the scenario you mean? In this
case base score can vary by 2.5.
Regards,
Brian Erdelyi
__________________________________
Do you Yahoo!?
Yahoo! Mail - 250MB free storage. Do more. Manage less.
http://info.mail.yahoo.com/mail_250
_______________________________________________
Dailydave mailing list
Dailydavelists.immunitysec.com
https://lists.immunitysec.com/mailman/listinfo/dailydave
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]