[Secure-testing-team] Oldenburg 2nd meeting summary
micah
micah at riseup.net
Sat Sep 24 14:12:01 UTC 2005
Javier Fernández-Sanguino Peña wrote:
> On Sat, Sep 24, 2005 at 07:11:25AM -0400, Micah Anderson wrote:
>
>>What follows are notes of the second testing-security meeting held at
>>Oldenburg September 23, 2005 with joeyh, micah, jmm, lamont, aba and
>>christoph in attendance:
>
> (..)
>
>>. Publishing the testing-security's severity levels
>> We discussed the severity levels that we use in our tracking,
>> and Micah agreed to dig out the discussions from the mailing list and
>> compile them all together so we can agree on them and make them documented.
>> low - not bad XSS issues
>> medium - things that are local security
>> high - remote holes/DoS (would rather terminate the service
>> rather than run a insecure version)
>
>
> I rather we had this homogeneous between teams and, moreover, was rather
> detailed so that people can have expectations on what will be fixed first.
> I mentioned CVSS previously, but this (good) references might come in handy:
Yes, these notes were not very clear about this. Basically we discussed
coming to agreement about severity levels that we use in our tracking.
There was some discussion on the list about different classifications,
and I said I would dig up these and try and synthesize them and bring a
summary to the list. We could then discuss this and agree on it. The
notes then go on to give a very brief overview of some of the level
discussions that we talked about at the meeting -- these were not meant
to be the levels that we agreed on, I was just summing up the discussion.
Micah
More information about the Secure-testing-team
mailing list