At 22:57 11/02/2003 +0100, Per Niila Albinsson wrote: >There would also be a need for probablity which I do guess is very subjectivem >but do depends of the customers enviroment. The probability for someone >exploiting a vulnerabliity would be large on a public accessible server, >medium for a server on the internal network, and low on a network with no >users. Amen to this. My personal belief is that one can not say what is the severity of a bug. It all depends on how the equipment is used. It may not be much about if it is a large network or not but if that feature is used. Another question is "What is worth of your data?". If some bug will expose something that is public anyway then it boils down a nuisance. If it will expose your confidential data then it is very serious indeed. The vendor can not know how a particular feature will be used in a customer's environment. Yes, a vendor may have some idea but, is it valid in all cases? Gaus ============== Damir Rajnovic <psirtat_private>, PSIRT Incident Manager, Cisco Systems <http://www.cisco.com/go/psirt> Telephone: +44 7715 546 033 200 Longwater Avenue, Green Park, Reading, Berkshire RG2 6GB, GB ============== There are no insolvable problems. The question is can you accept the solution? ---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
This archive was generated by hypermail 2b30 : Wed Feb 12 2003 - 10:22:22 PST