lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20031023175905.GA4794@deneb.enyo.de>
Date: Thu, 23 Oct 2003 19:59:05 +0200
From: Florian Weimer <fw@...eb.enyo.de>
To: Ejovi Nuwere <ejovi@...vi.net>
Cc: "Steven M. Christey" <coley@...re.org>,
	bugtraq@...urityfocus.com, vuln-dev@...urityfocus.com
Subject: Re: "Local" and "Remote" considered insufficient


Ejovi Nuwere wrote:

> To summarize a vurnerability in one line is always difficult, more so 
> when you are writting in a language other then your native tongue. Your 
> ideas might help eleviate some of those troubles but not the core, in 
> addition to language issues, most security researchers are simply poor 
> writers. All of the complexities you detailed are very real, that is why 
> there needs to be a simplified terminology.

In this case, I'd assume it's the responsiblity of the vendors to hire
people who improve the quality of security advisories.

> While Local and Remote alone are clearly not enough, Local, Remote, 
> Remote Level 1, Remote Beta and Remote Delta will not help either.

You need not restrict yourself to these signal words.  While it's common
to write just three lines about a vulnerability, nobody (well, except
your legal department) forces you to be so terse.

> The idea of Local, Remote, and Remote Authenticated sounds nice and I 
> would love to see more researchers adhere to this phrasing or something 
> similar to the risk catagories vurnerability scanners use. Low, Medium 
> and High, three classifications, then let the end user sort them out.

Risk assessment is something that has to be done locally because it is
greatly affected by local implementation decisions and the threats you
face.


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ