Hi, I just had a chat with Raphael about the impact levels we currently set for vulnerabilities in the tracker. We both came to the conclusion that our current way of assigning that is rather sub-optimal.
At the moment we try to judge the impact, the bug type, the availability of the issue and our priority which often is not easy to connect and we end up with situations where it is very hard (not to say random) to set the impact. Classifying security issues is a really hard task and known to be flawed. So I think it's time to change what we are currently doing. What about just setting what priority the issue has for us? We can't properly classify the impact with three levels anyway. Instead I propose we let the levels like they are but use them with the meaning of priority. The tracker already says urgency so we need to change our documentation regarding that and maybe optionally displaying the CVSS score might be helpful (I know this score is flawed as well but it's better than none). Opinions? Cheers Nico -- Nico Golde - http://www.ngolde.de - [email protected] - GPG: 0xA0A0AAAA For security reasons, all text in this mail is double-rot13 encrypted.
pgpFzrgVR3Dbl.pgp
Description: PGP signature
_______________________________________________ Secure-testing-team mailing list [email protected] http://lists.alioth.debian.org/mailman/listinfo/secure-testing-team
