Web Application Security
Re: RES: rating TRACE Nov 13 2014 11:59AM
Robin Wood (robin digi ninja) (2 replies)
Re: RES: rating TRACE Nov 14 2014 01:13PM
Simon Ward (simon westpoint ltd uk)
On 2014-11-13 11:59, Robin Wood wrote:
> Moving from TRACE to more complex or harder to understand bugs just
> makes this worse and more subjective. I wish I could suggest a way to
> fix it so everyone was rating based on the same levels. I know some
> people aren't optimistic about CVSSv3 being able to help fix it, I've
> not looked at it yet but lets hope it moves us a step closer. Anyone
> else have any ideas?

Don't use the CVSS base score by itself as a metric. Unfortunately, the
scoring in the NVD and standards that require it encourage it.

There was talk about the possibility of "chaining" vulnerabilities in
CVSS 3. Each vulnerability would still be given an independent score,
but guidance would be given on how to score a vulnerability introduced
by combining other vulnerabilities.

Simon

This list is sponsored by Cenzic
--------------------------------------
Let Us Hack You. Before Hackers Do!
It's Finally Here - The Cenzic Website HealthCheck. FREE.
Request Yours Now!
http://www.cenzic.com/2009HClaunch_Securityfocus
--------------------------------------

[ reply ]
Re: RES: rating TRACE Nov 13 2014 12:57PM
Martino Dell'Ambrogio (tillo tillo ch)


 

Privacy Statement
Copyright 2010, SecurityFocus