I agree with your comment. I feel that severerity needs to be defined with measureable parameters.
CVE does not attempt to take the assessment of vulnerabilities or exposures (nor does it tempt to differentiate one from the other).
ICAT is an open database that does assess severity. I would propose that this same measurement be used. Check out the following URL: http://icat.nist.gov/icat_documentation.htm
Some might argue that this may not be very meaningful, however it means more compared to what currently exists.
A vulnerability is �high severity� if:
it allows a remote attacker to violate the security protection of a system (i.e. gain some sort of user or root account), it allows a local attack that gains complete control of a system, it is important enough to have an associated CERT/CC advisory.
A vulnerability is �medium severity� if:
it does not meet the definition of either �high� or �low� severity.
A vulnerability is �low severity� if:
The vulnerability does not typically yield valuable information or control over a system but instead gives the attacker knowledge that may help the attacker find and exploit other vulnerabilities. we feel that the vulnerability is inconsequential for most organizations.
With so many different people writing these scripts, there will be some degree of varying subjectivity for the assignment of severity level that will not be able to be factored out. However if there were a limited group of terms to choose from, each one indicative of a unique severity level,
_________________________________________________________________
MSN 8 helps eliminate e-mail viruses. Get 2 months FREE*. http://join.msn.com/?page=features/virus
-
[EMAIL PROTECTED]: general discussions about Nessus.
* To unsubscribe, send a mail to [EMAIL PROTECTED] with
"unsubscribe nessus" in the body.
