NIST has a nice database that gives you all of the references for a
particular vuln, it can be searched using the CVE number. SANS has a nice
explanation of different risk levels that can be helpful in coming up with
the actual risk on a given network. There are so many variables dependent
on the environment of the host that you have to determine severity
seperately for each network you evaluate.
~D
From: [EMAIL PROTECTED]
To: [email protected]
Subject: Re: Severity classification
Date: Mon, 26 Jun 2006 09:38:41 -0500
[EMAIL PROTECTED] wrote on 06/24/2006 08:24:40 AM:
> Hi Folks,
>
> I am wondering if there any common source which defines the severity
> level of any vulnerability stating that its high/medium or
> informational or every vendor who develop VA tools classify the
> severity levels on their own? Thanks in advance
We have found that we can only use other people's severity ratings as a
guide. We have to rank them ourselves based on our applications and
architectures. We have a committee that meets weekly to review new *nix
vulnerabilities. (Our Microsoft folks meet just after Microsoft's security
announcements, usually on Black Tuesday.)
While nothing is perfect, we tend to use CVE ( cve.mitre.org ) for
information on each vulnerability (except for Microsoft and some other
vendor-specific vulnerabilities.)
Tom
Toto, I don't think we're in the mainframe world any more.
_______________________________________________
Nessus mailing list
[email protected]
http://mail.nessus.org/mailman/listinfo/nessus
_________________________________________________________________
Express yourself instantly with MSN Messenger! Download today - it's FREE!
http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/
_______________________________________________
Nessus mailing list
[email protected]
http://mail.nessus.org/mailman/listinfo/nessus
