mailing list archives
Re: Vulnebrability level definition
From: Per Niila Albinsson <per () same net>
Date: Wed, 12 Feb 2003 23:20:41 +0100
From a vendor point of view I agree there is a difference. Though the
complexity of exploiting a certain vulnerability would probably be a good
indicator for the probability classification.A vendor can only give a very
generic answer to these questions.
When I suggested to take the probability in count I was targeting a scenario
where a consultant will make a penetration test and present the result for
Amen to this. My personal belief is that one can not say what is the
severity of a bug. It all depends on how the equipment is used. It
may not be much about if it is a large network or not but if that
feature is used. Another question is "What is worth of your data?".
If some bug will expose something that is public anyway then it
boils down a nuisance. If it will expose your confidential data then
it is very serious indeed. The vendor can not know how a particular
feature will be used in a customer's environment. Yes, a vendor may
have some idea but, is it valid in all cases?
Re: Vulnebrability level definition Meritt James (Feb 12)
RE: Vulnebrability level definition Milton . Keath (Feb 13)
Re: Vulnebrability level definition Steven M. Christey (Feb 14)
Re: Vulnebrability level definition Per Niila Albinsson (Feb 14)
- Re: Vulnebrability level definition, (continued)