[EMAIL PROTECTED] wrote on 06/24/2006 08:24:40 AM:
> Hi Folks,
>
> I am wondering if there any common source which defines the severity
> level of any vulnerability stating that its high/medium or
> informational or every vendor who develop VA tools classify the
> severity levels on their own? Thanks in advance
We have found that we can only use other people's severity ratings as a guide. We have to rank them ourselves based on our applications and architectures. We have a committee that meets weekly to review new *nix vulnerabilities. (Our Microsoft folks meet just after Microsoft's security announcements, usually on Black Tuesday.)
While nothing is perfect, we tend to use CVE ( cve.mitre.org ) for information on each vulnerability (except for Microsoft and some other vendor-specific vulnerabilities.)
Tom
Toto, I don't think we're in the mainframe world any more.
_______________________________________________ Nessus mailing list [email protected] http://mail.nessus.org/mailman/listinfo/nessus
