On Saturday 13 January 2007 02:51, Alex de Oliveira Silva wrote: > > - Do not trust vulnerability web sites or the CVE description! > > Did you mean that I shoudn't trust in mitre CVE "CVSS Severity"? > I changed many severity bugs using it. :( > Do you wait for the avaliation of the mantainer to change the > severity afterwards or do you only look in description of the bug? > How can I analize the severitys correctly?
Maybe we should discuss this again. Maulkin added "These are generally based on the 'score' from NVD" to the documentation, but this is IMHO not what we did. Our severety includes how important a package is and what we label 'medium' will often be 'high' on NVD. OTOH, a XSS in a webapp is nearly always 'low' in our old scheme, while NVD assigns 'high' to e.g. CVE-2007-0204. I think we should stick with the old way and remove that sentence from the documentation again. What do you think? Cheers, Stefan
pgpiNJhP0wvC0.pgp
Description: PGP signature
_______________________________________________ Secure-testing-team mailing list [email protected] http://lists.alioth.debian.org/mailman/listinfo/secure-testing-team
