the exclamake! blog

Nice post here surveying various security organizations and the wide disparity between them. One will issue a vulnerability as Low while another as Highly Critical. The lesson, to be serious about security, you have to be reading a lot to keep up with what’s really going on and cannot get comfortable with a particular monitor (Secunia, for example, which in this case was very slow on an accurate severity of this Firefox vulnerability.)

I think another lesson is to treat all vulnerabilities as important. It’s easy to see a vulnerability that doesn’t seem too bad (not allowing remote code execution for example) and file it away mentally. Then this vulnerability begins to be exploited in more severe ways but you’re still mentally putting it off.

Of course, it doesn’t help that there are so many unpatched vulnerabilties. There are still 21 unpatched vulnerabilites in IE6.

SecuriTeam Blogs » The difficulties of (reading) vulnerability severity meters