From: Per Niila Albinsson (per@same.net)
Date: Wed Feb 12 2003 - 17:20:41 EST
Hi
>From a vendor point of view I agree there is a difference. Though the
complexity of exploiting a certain vulnerability would probably be a good
indicator for the probability classification.A vendor can only give a very
generic answer to these questions.
When I suggested to take the probability in count I was targeting a scenario
where a consultant will make a penetration test and present the result for
the customers.
/Per Niila
>
> Amen to this. My personal belief is that one can not say what is the
> severity of a bug. It all depends on how the equipment is used. It
> may not be much about if it is a large network or not but if that
> feature is used. Another question is "What is worth of your data?".
> If some bug will expose something that is public anyway then it
> boils down a nuisance. If it will expose your confidential data then
> it is very serious indeed. The vendor can not know how a particular
> feature will be used in a customer's environment. Yes, a vendor may
> have some idea but, is it valid in all cases?
>
> Gaus
----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:28 EDT