[Dailydave] FW: The CrateMaster2000 of Security.

[Florian Weimer]

* Des Ward:

> The biggest issue with CVSS is that the environmental score is far
> too brief and confusing to make things workable. We need to ask a
> number of additional questions to get any kind of use out of the
> scoring mechanism. Take a remotely exploitable vulnerability that
> needs client interaction, only when changing the remotely
> exploitable score to to no do you start getting an accurate score.

Yeah, but this is due to the proliferation of "remote"
vulnerabilities.  In many cases, bugs requiring user interaction to
exploit are still pretty much relevant, in others, they are not.  It
all depends on context, how you have deployed the defective software,
and so on.

The issue I have with CVSS and similar schemes is that for different
industries, different security aspects have different priorities.  A
typical ISP doesn't care that much about the confidentiality of their
customer's packets, or that they pass through their network unchange,
but they are very keen on keeping everything running.  But within
CVSS, there is a built-in ordering that basically says A < I < C (or
was it A < C < I?), and this doesn't make sense if the A aspect is the
important one for you.  If you've got two partial orderings on the
same set, there isn't necessarily a total ordering that refines both. 8-)