[Secure-testing-team] Re: summary of what's blocking security
fixes
Moritz Muehlenhoff
jmm at inutil.org
Wed Sep 14 19:46:23 UTC 2005
[Trimming out -release]
Javier Fernández-Sanguino Peña wrote:
> Based on this, the CVSS [1] base score is 3,8, which is probably lower than
> some other vulnerabilities out there. Why not standarize in a given metric to
> score vulnerabilites so that the work can be priorised?
>
> This is usually done in an informal way:
>
> IMHO the information used by the Security testing teams (both for testing and
> stable) should use metrics like CVSS to formalize the above.
The testing security already uses an informal pattern (low, medium and high),
bit it's only used for internal priorization. It can be seen through the
coloring on spohr.debian.org/~joeyh/testing-security.html, though.
Metrics like CVSS with post-comma precision values feign an precision that
can't really withstand reality, as there are too many local factors to consider
a site-specific graveness of a vulnerability.
Cheers,
Moritz
More information about the Secure-testing-team
mailing list