Home page logo

basics logo Security Basics mailing list archives

Re: Vulnebrability level definition
From: Per Niila Albinsson <per () same net>
Date: Wed, 12 Feb 2003 23:20:41 +0100


From a vendor point of view I agree there is a difference. Though the 
complexity of exploiting a certain vulnerability would probably be a good 
indicator for the probability classification.A vendor can only give a very 
generic answer to these questions.

When I suggested to take the probability in count I was targeting a scenario 
where a consultant will make a penetration test and present the result for 
the customers.
/Per Niila

Amen to this. My personal belief is that one can not say what is the
severity of a bug. It all depends on how the equipment is used. It
may not be much about if it is a large network or not but if that
feature is used. Another question is "What is worth of your data?".
If some bug will expose something that is public anyway then it
boils down a nuisance. If it will expose your confidential data then
it is very serious indeed. The vendor can not know how a particular
feature will be used in a customer's environment. Yes, a vendor may
have some idea but, is it valid in all cases?


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]