Hello, In the wise words of Gaurav Kumar, on Thursday 23 June 2005 14:50: [SNIP] > Generally in VARs (Vulnerability Assessment Report), we identify the > vulnerability as Critical, Medium, Low etc, the judgment is based on > generally perception like buffer overflow is critical vulnerability, > but I guess it will be better if we can map it to the usage scenario, > and other parameters like how difficult it is to exploit it, how > widely the product is used etc. We can give some numbers to all these > parameters and come up with a model where we can 'quantify' > vulnerability. Based on this number we can rate the vulnerability > accordingly. > > It is just a thought, please let me know if someone is working on similar > area. Still a work in progress, but you could have a look at CVSS (Common Vulnerability Scoring System): http://www.first.org/cvss/ They try to basically do what you have in mind, taking into account such things as vendor input, but also "environmental" issues that are more specific to different environments. Cheers, Lionel -- "To understand how progress failed to make our lives easier, please press 3" Lionel Ferette BELNET CERT Coordinator Tel: +32 2 7903385 http://cert.belnet.be/ Fax: +32 2 7903375 PGP Key Id: 0x5662FD4B
Attachment:
pgpnHkC61FgUy.pgp
Description: PGP signature
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/