[VIM] Severity dispute (Apple DMG) and information quality

Steven M. Christey coley at mitre.org
Wed Dec 6 19:10:44 EST 2006


CVE-2006-6061
http://alastairs-place.net/2006/11/dmg-vulnerability/#more
http://www.matasano.com/log/633/alastair-houghton-debunks-lmh-mokb-finding/


The post has some of the typical commentary on VDB's not verifying
every claim.  Personally, I think we collectively need to do a much
better job of this.  But Houghton also includes the ironic note:

  It's taken me the best part of three days' work to figure out what
  is really going on here, which gives some idea of how difficult it
  is (particularly without the source code for the disk image driver)
  to trace everything back through and come up with a proper,
  definitive explanation of the problem.

yet somehow he expects us to do this kind of diligence for every one
of the ~150 vulnerabilities that we process per week.  150 x 3 = 450
staff days of effort per week?  I don't think so.  (OK, so some issues
only take an hour, but still...)

There has to be a middle ground somewhere.

- Steve


More information about the VIM mailing list