[VIM] Severity dispute (Apple DMG) and information quality
Steven M. Christey
coley at mitre.org
Wed Dec 6 19:10:44 EST 2006
CVE-2006-6061
http://alastairs-place.net/2006/11/dmg-vulnerability/#more
http://www.matasano.com/log/633/alastair-houghton-debunks-lmh-mokb-finding/
The post has some of the typical commentary on VDB's not verifying
every claim. Personally, I think we collectively need to do a much
better job of this. But Houghton also includes the ironic note:
It's taken me the best part of three days' work to figure out what
is really going on here, which gives some idea of how difficult it
is (particularly without the source code for the disk image driver)
to trace everything back through and come up with a proper,
definitive explanation of the problem.
yet somehow he expects us to do this kind of diligence for every one
of the ~150 vulnerabilities that we process per week. 150 x 3 = 450
staff days of effort per week? I don't think so. (OK, so some issues
only take an hour, but still...)
There has to be a middle ground somewhere.
- Steve
More information about the VIM
mailing list