mailing list archives
Re: Vulnebrability level definition
From: Damir Rajnovic <gaus () cisco com>
Date: Wed, 12 Feb 2003 10:41:52 +0000
At 22:57 11/02/2003 +0100, Per Niila Albinsson wrote:
There would also be a need for probablity which I do guess is very subjectivem
but do depends of the customers enviroment. The probability for someone
exploiting a vulnerabliity would be large on a public accessible server,
medium for a server on the internal network, and low on a network with no
Amen to this. My personal belief is that one can not say what is the
severity of a bug. It all depends on how the equipment is used. It
may not be much about if it is a large network or not but if that
feature is used. Another question is "What is worth of your data?".
If some bug will expose something that is public anyway then it
boils down a nuisance. If it will expose your confidential data then
it is very serious indeed. The vendor can not know how a particular
feature will be used in a customer's environment. Yes, a vendor may
have some idea but, is it valid in all cases?
Damir Rajnovic <psirt () cisco com>, PSIRT Incident Manager, Cisco Systems
<http://www.cisco.com/go/psirt> Telephone: +44 7715 546 033
200 Longwater Avenue, Green Park, Reading, Berkshire RG2 6GB, GB
There are no insolvable problems.
The question is can you accept the solution?
Re: Vulnebrability level definition Meritt James (Feb 12)
RE: Vulnebrability level definition Milton . Keath (Feb 13)
Re: Vulnebrability level definition Steven M. Christey (Feb 14)
Re: Vulnebrability level definition Per Niila Albinsson (Feb 14)