Hi From a vendor point of view I agree there is a difference. Though the complexity of exploiting a certain vulnerability would probably be a good indicator for the probability classification.A vendor can only give a very generic answer to these questions.
When I suggested to take the probability in count I was targeting a scenario where a consultant will make a penetration test and present the result for the customers. /Per Niila > > Amen to this. My personal belief is that one can not say what is the > severity of a bug. It all depends on how the equipment is used. It > may not be much about if it is a large network or not but if that > feature is used. Another question is "What is worth of your data?". > If some bug will expose something that is public anyway then it > boils down a nuisance. If it will expose your confidential data then > it is very serious indeed. The vendor can not know how a particular > feature will be used in a customer's environment. Yes, a vendor may > have some idea but, is it valid in all cases? > > Gaus
