Conversation

Notices

1. Embed this notice
   Drew DeVault (drewdevault@fosstodon.org)'s status on Friday, 22-Sep-2023 21:12:56 JST Drew DeVault

   Vulnerability scoring would be better with two scores: one for impact -- how many people are affected -- and urgency -- how quickly they need act to address the issue

   • Embed this notice
     Drew DeVault (drewdevault@fosstodon.org)'s status on Friday, 22-Sep-2023 21:12:56 JST Drew DeVault

     in reply to

     Also, everything to do with vulnerabilities would be much better if the security circus were shut down and everyone took a chill pill

     Haelwenn /элвэн/ :triskell: likes this.
   • Embed this notice
     Haelwenn /элвэн/ :triskell: (lanodan@queer.hacktivis.me)'s status on Friday, 22-Sep-2023 21:14:58 JST Haelwenn /элвэн/ :triskell:

     in reply to
     @drewdevault And first and foremost that scoring should have some references/citations, there's too many times where it's pretty much bullshit made out of thin air.
   • Embed this notice
     Haelwenn /элвэн/ :triskell: (lanodan@queer.hacktivis.me)'s status on Friday, 22-Sep-2023 23:47:19 JST Haelwenn /элвэн/ :triskell:

     in reply to

     • nytpu
     @nytpu @drewdevault Yeah, was also seen in https://kernel-recipes.org/en/2019/talks/cves-are-dead-long-live-the-cve/ for a barely-existant kernel bug.
   • Embed this notice
     nytpu (nytpu@tilde.zone)'s status on Friday, 22-Sep-2023 23:47:20 JST nytpu

     in reply to

     • Haelwenn /элвэн/ :triskell:

     @lanodan @drewdevault Thinking about the dozens of Curl CVEs with a severity of 9.5+ for minor, non-exploitable bugs fixed years ago