From owner-freebsd-vuxml@FreeBSD.ORG Mon Feb 21 16:03:57 2005 Return-Path: Delivered-To: freebsd-vuxml@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9BBB616A4CE for ; Mon, 21 Feb 2005 16:03:57 +0000 (GMT) Received: from web50302.mail.yahoo.com (web50302.mail.yahoo.com [206.190.38.56]) by mx1.FreeBSD.org (Postfix) with SMTP id 2F5AD43D1D for ; Mon, 21 Feb 2005 16:03:57 +0000 (GMT) (envelope-from cykyc@yahoo.com) Received: (qmail 61991 invoked by uid 60001); 21 Feb 2005 16:03:56 -0000 Comment: DomainKeys? See http://antispam.yahoo.com/domainkeys DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; b=x0fAJ3WhK1DHYQcMA94OB4sl3Aud2Vw+QFJXbCfg9jPA6A+7QuU4+Jhj6v8/Qe8PsLiGZEJQkSOLZ/k3ON8ibDqXOpnrk9WEmqjAGBd92PwNG1Tiz5g46VpvzqYkYdMuBCvCOA+JdRnkm7R/YpIbDBqw0tWuRgvuzdpW8pXlC0E= ; Message-ID: <20050221160356.61989.qmail@web50302.mail.yahoo.com> Received: from [65.173.207.2] by web50302.mail.yahoo.com via HTTP; Mon, 21 Feb 2005 08:03:56 PST Date: Mon, 21 Feb 2005 08:03:56 -0800 (PST) From: Jon Passki To: freebsd-vuxml@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Subject: Adding Additional Attributes to VuXML X-BeenThere: freebsd-vuxml@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: cykyc@yahoo.com List-Id: Documenting security issues in VuXML List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 21 Feb 2005 16:03:57 -0000 Hello All, I would like to discuss risk attributes and see if they should be included in VuXML as some new optional elements. What I would like to see are possibly two new elements added that describe the likelihood of the vulnerability and what the vulnerability produces. Neither of these elements would try to directly communicate the impact of the risk (which is site-specific), rather certain attributes that can objectively described the vulnerability. Also, this is not a taxonomy, although it may start to resemble one. It's to provide consistent information across vulnerabilities. When I think of likelihood, I think of some of the following examples: --) Configuration needed for successful exploitation (default or non-default) --) Needed Account Access (non-anonymous, anonymous, none) --) Location of Exploitation (can be performed remotely, needs to be local) When I think of the production of the vulnerability, I think of some of the following examples: --) Network information (host names, IP addresses, MAC addresses, etc.) --) Account information (account name, individual account password, credential reuse, privileged account access, etc.) --) System/Service Information (directory names, file names, configuration information, recursive resource usage, etc.) What I'm asking is if it makes sense to add these two _optional_ elements (or perhaps similar concepts). If it does, then I'd like to start a discussion on the exact content (one bikeshed at a time...). Sincerely, Jon Passki __________________________________ Do you Yahoo!? The all-new My Yahoo! - What will yours do? http://my.yahoo.com