Re: Vuln scoring system anyone?

[security curmudgeon <jericho () attrition org>]

My reply from another list. Part of this is based on a reporter asking 
them if they were going to work with OSVDB.org (of which I am a part), and 
they said "that is a good idea". Not surprisingly, we haven't heard from 
them.

: So what are peoples thoughts on:
: 
: http://www.newscientist.com/article.ns?id=dn7040
: 
: It strikes me that although it may be a good idea to try and rate a 
: vulnerability based on its severity, using metrics which measure factors 
: such as ease of exploitation, initial levels of access required etc, 
: rating the "urgency" of an issue (which sounds like remediation 
: prioritization to me), solely on the severity seems like a mistake. 
: People are going to use these ratings to prioritize remediation, and yet 
: their metrics seem to say nothing about the respective asset. Perhaps 
: I've missed the point of the system here; this is a topic I gas about 
: all of the time, so I wont bore you - I'm just curious to hear what 
: people think.

In general, my gut reaction is "why the hype?" I've done extensive 
thinking about the scoring system, discussed and debated it with a ton of 
people, meditated on it and sacrificed a chicken so far. What does this 
scoring really do that high/medium/low doesn't? Does a 1 to 10 style 
system add value? 1 to 100? At what point does it get too obscure or too 
granulated to be helpful?

The fact that these vendors are leading the initiative scares me. These 
are the same ones that intentionally or ignorantly labeled remote code 
execution bugs on default services as medium when they should have been 
high. Can we trust them to accurately label these vulns?

I also heavily question any of these consortiums that refuse to accept or 
solicit feedback/membership from groups that aren't million dollar 
companies.
_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
https://lists.immunitysec.com/mailman/listinfo/dailydave