Read the full Part 1 on CSOonline.
Recently, Red Hat has raised some objections to my use in analysis of the High, Medium and Low severity ratings as determined by the National Institute of Standards (NIST) for the National Vulnerability Database (NVD) – found at http://nvd.nist.gov/.
So, let me say that in my opinion, some of the concerns raised by Red Hat have merit and mirror some of the issues I’ve raised myself.
On the other hand, the Red Hat motivation seems to be to impugn vulnerability comparisons where Red Hat might not come out on top, rather than to constructively identify the issues and propose some alternative that might work better, so I think a deeper look might be interesting.
I’ve posted up Part 1 on CSOonline. Read the full details there and give me your thoughts as feedback. I’m planning either one or two more follow-up posts to further explore severity rating systems and your feedback could very likely influence those posts…
Regards ~ Jeff