[VIM] Verified, confirmed, acknowledged, replicated... what?
security curmudgeon
jericho at attrition.org
Tue Dec 6 02:05:45 EST 2005
: Does anybody have a terminology for how "proven" a vulnerability is?
I've thought about this in the past, and OSVDB uses one word consistantly,
as part of our classification system:
Verified - Has been personally verified by a mangler, or acknowledged by
the vendor
This feeds into the definition:
: "verify" is "to establish the truth, accuracy, or reality of"
Specifically the 'accuracy or reality' part. I believe that is why we
selcted 'verified' over other words at the time.
: Maybe it's best to stay away from the overloaded terms altogether and
: just say "replicate" - DUPLICATE, REPEAT, as in "replicate a statistical
: experiment"
Definitions may disagree, but I don't like these words because they can
easily mean that someone repeated or duplicated a flawed test, not
verified a vulnerability.
If I set up a package, turn all the PHP options a certain way (the worst
you can), change permissions on files and directories (the way I
shouldn't), then report a vulnerability.. you can duplicate and repeat
it, but you have not verified it is a vulnerability in the software
package.
More information about the VIM
mailing list