Quoting Javier Fernández-Sanguino Peña <jfs_at_debian.org>:
> I was wondering if anyone had done an analysis of the published
> DSAs based on;
>
> - package priority (i.e. 'base', 'standard', etc.)
> - type of security flaw (buffer overflow, logical error, integer overflow,
> etc.)
> - type of impact (denial of service, authentication, remote code execution,
> privilege escalation, etc.)
> - risk (that is, how "dangerous" is the vulnerability to common users)
Secunia ( http://secunia.com/ ) does some of that, and they cover all
vulnerabilities. US-CERT ( http://www.uscert.gov/ ) does it too, but I'm not
sure if they cover everything.
I don't agree with Secunia's methods of calculating risk at all.
A problem with spending a lot of time on calculating severity levels is that it
may stop people from contributing what some see as lower risk security problems
like Cross-site Scripting (which can be bad enough in many circumstances). I
would much prefer a system where people found and patched everything they could
- XSS, local buffer overflows, symlink attacks - instead of feeling ashamed for
finding those things.
-- Ulf Harnhammar http://www.advogato.org/person/metaur/Received on Sat Dec 18 2004 - 13:02:42 GMT