[Secure-testing-team] Oldenburg 2nd meeting summary
Javier Fernández-Sanguino Peña
jfs at computer.org
Sat Sep 24 14:06:21 UTC 2005
On Sat, Sep 24, 2005 at 07:11:25AM -0400, Micah Anderson wrote:
> What follows are notes of the second testing-security meeting held at
> Oldenburg September 23, 2005 with joeyh, micah, jmm, lamont, aba and
> christoph in attendance:
(..)
>
> . Publishing the testing-security's severity levels
> We discussed the severity levels that we use in our tracking,
> and Micah agreed to dig out the discussions from the mailing list and
> compile them all together so we can agree on them and make them documented.
> low - not bad XSS issues
> medium - things that are local security
> high - remote holes/DoS (would rather terminate the service
> rather than run a insecure version)
I rather we had this homogeneous between teams and, moreover, was rather
detailed so that people can have expectations on what will be fixed first.
I mentioned CVSS previously, but this (good) references might come in handy:
- Red Hat's Security Classification:
http://www.redhat.com/f/pdf/rhel4/SecurityClassification.pdf
- Gentoo Linux Vulnerability Treatment Policy
http://www.gentoo.org/security/en/vulnerability-policy.xml
The Red Hat paper (which is certainly worth reading) has references to
a number of other classifications.
One thing I've been asking to the security team for some time is to add
these ratings in their DSAs so that people can priorise the investigation of
those based on that rating if they don't have a metric of their own. I hope
the security testing team does with DTSAs also.
Regards
Javier
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20050924/f4634f91/attachment.pgp
More information about the Secure-testing-team
mailing list