[Secure-testing-team] Severities
Stefan Fritsch
sf at sfritsch.de
Sat Jan 13 11:07:12 CET 2007
On Saturday 13 January 2007 02:51, Alex de Oliveira Silva wrote:
> > - Do not trust vulnerability web sites or the CVE description!
>
> Did you mean that I shoudn't trust in mitre CVE "CVSS Severity"?
> I changed many severity bugs using it. :(
> Do you wait for the avaliation of the mantainer to change the
> severity afterwards or do you only look in description of the bug?
> How can I analize the severitys correctly?
Maybe we should discuss this again. Maulkin added "These are generally
based on the 'score' from NVD" to the documentation, but this is IMHO
not what we did. Our severety includes how important a package is and
what we label 'medium' will often be 'high' on NVD. OTOH, a XSS in a
webapp is nearly always 'low' in our old scheme, while NVD
assigns 'high' to e.g. CVE-2007-0204.
I think we should stick with the old way and remove that sentence from
the documentation again. What do you think?
Cheers,
Stefan
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20070113/ed7ce72b/attachment.pgp
More information about the Secure-testing-team
mailing list