Javier Fernández-Sanguino Peña wrote:
On Sat, Sep 24, 2005 at 07:11:25AM -0400, Micah Anderson wrote:
What follows are notes of the second testing-security meeting held at
Oldenburg September 23, 2005 with joeyh, micah, jmm, lamont, aba and
christoph in attendance:
(..)
. Publishing the testing-security's severity levels
We discussed the severity levels that we use in our tracking,
and Micah agreed to dig out the discussions from the mailing list and
compile them all together so we can agree on them and make them
documented.
low - not bad XSS issues
medium - things that are local security
high - remote holes/DoS (would rather terminate the service
rather than run a insecure version)
I rather we had this homogeneous between teams and, moreover, was rather
detailed so that people can have expectations on what will be fixed first.
I mentioned CVSS previously, but this (good) references might come in handy:
Yes, these notes were not very clear about this. Basically we discussed
coming to agreement about severity levels that we use in our tracking.
There was some discussion on the list about different classifications,
and I said I would dig up these and try and synthesize them and bring a
summary to the list. We could then discuss this and agree on it. The
notes then go on to give a very brief overview of some of the level
discussions that we talked about at the meeting -- these were not meant
to be the levels that we agreed on, I was just summing up the discussion.
Micah
_______________________________________________
Secure-testing-team mailing list
[email protected]
http://lists.alioth.debian.org/mailman/listinfo/secure-testing-team
