[Secure-testing-team] Vulnerability impact on issues
Moritz Muehlenhoff
jmm at inutil.org
Wed Oct 28 18:30:06 UTC 2009
On Wed, Oct 28, 2009 at 06:05:00PM +0100, Nico Golde wrote:
> Hi,
> I just had a chat with Raphael about the impact levels we currently set for
> vulnerabilities in the tracker. We both came to the conclusion that our
> current way of assigning that is rather sub-optimal.
>
> At the moment we try to judge the impact, the bug type, the availability of
> the issue and our priority which often is not easy to connect and we end up
> with situations where it is very hard (not to say random) to set the impact.
>
> Classifying security issues is a really hard task and known to be flawed. So I
> think it's time to change what we are currently doing.
>
> What about just setting what priority the issue has for us? We can't properly
> classify the impact with three levels anyway.
>
> Instead I propose we let the levels like they are but use them with the
> meaning of priority. The tracker already says urgency so we need to change our
> documentation regarding that and maybe optionally displaying the CVSS score
> might be helpful (I know this score is flawed as well but it's better than
> none).
Or let's simply get rid of them at all.
Cheers,
Moritz
More information about the Secure-testing-team
mailing list