lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <200506231504.53869.lionel.ferette@belnet.be>
Date: Thu Jun 23 14:05:08 2005
From: lionel.ferette at belnet.be (Lionel Ferette)
Subject: 'Quantification' of vulnerability rating

Hello,

In the wise words of Gaurav Kumar, on Thursday 23 June 2005 14:50:
[SNIP]
> Generally in VARs (Vulnerability Assessment Report), we identify the
> vulnerability as Critical, Medium, Low etc, the judgment is based on
> generally perception like buffer overflow is critical vulnerability,
> but I guess it will be better if we can map it to the usage scenario,
> and other parameters like how difficult it is to exploit it, how
> widely the product is used etc. We can give some numbers to all these
> parameters and come up with a model where we can 'quantify'
> vulnerability. Based on this number we can rate the vulnerability
> accordingly.
> 
> It is just a thought, please let me know if someone is working on similar
> area. 
Still a work in progress, but you could have a look at CVSS (Common 
Vulnerability Scoring System):
http://www.first.org/cvss/

They try to basically do what you have in mind, taking into account such 
things as vendor input, but also "environmental" issues that are more 
specific to different environments.

Cheers,

Lionel

-- 
"To understand how progress failed to make our lives easier,
please press 3"

Lionel Ferette
BELNET CERT Coordinator

Tel: +32 2 7903385                  http://cert.belnet.be/
Fax: +32 2 7903375                  PGP Key Id: 0x5662FD4B
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20050623/54963cc2/attachment.bin

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ