[Secure-testing-team] Vulnerability impact on issues

[Nico Golde]

Hi,
I just had a chat with Raphael about the impact levels we currently set for 
vulnerabilities in the tracker. We both came to the conclusion that our 
current way of assigning that is rather sub-optimal.

At the moment we try to judge the impact, the bug type, the availability of 
the issue and our priority which often is not easy to connect and we end up 
with situations where it is very hard (not to say random) to set the impact.

Classifying security issues is a really hard task and known to be flawed. So I 
think it's time to change what we are currently doing.

What about just setting what priority the issue has for us? We can't properly 
classify the impact with three levels anyway.

Instead I propose we let the levels like they are but use them with the 
meaning of priority. The tracker already says urgency so we need to change our 
documentation regarding that and maybe optionally displaying the CVSS score 
might be helpful (I know this score is flawed as well but it's better than 
none).

Opinions?

Cheers
Nico

-- 
Nico Golde - http://www.ngolde.de - nion at jabber.ccc.de - GPG: 0xA0A0AAAA
For security reasons, all text in this mail is double-rot13 encrypted.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20091028/e236c36a/attachment.pgp>