... | ... | @@ -57,4 +57,47 @@ Extending this to DNS and DNS servers, scoring should assume that: |
|
|
### User Interaction (UI)
|
|
|
|
|
|
* N - None
|
|
|
* R - Required - A user or admin must take action as part of the attack. For daemons there really isn't any user interaction possible, unless one maybe counts running a specific `rndc` command after the attacker does something. Other possibilities are the Windows installer and the various other command-line tools such as DiG. |
|
|
* R - Required
|
|
|
* "A user or admin must take action as part of the attack."
|
|
|
* For daemons there really isn't any user interaction possible, unless one maybe counts running a specific `rndc` command after the attacker does something.
|
|
|
* Other possibilities are the Windows installer and the various other command-line tools such as DiG.
|
|
|
|
|
|
### Exploit Code Maturity (E)
|
|
|
|
|
|
* X - Not Defined
|
|
|
* not something we should use in scoring for release
|
|
|
* H - High
|
|
|
* "Functional autonomous code exists, **or no exploit is required (manual trigger) and details are widely available.**" [emphasis added]
|
|
|
* This seems like it would apply to anything that is triggered based on a query response
|
|
|
* F - Functional
|
|
|
* this seems to be a middle ground that we won't often use
|
|
|
* P - Proof-of-Concept
|
|
|
* If we release system tests that attempt to trigger the exploit then we have at least proof-of-concept level.
|
|
|
* U - Unproven
|
|
|
* When we haven't even proven that it's possible to exploit
|
|
|
|
|
|
### Remediation Level (RL)
|
|
|
|
|
|
* X - Not Defined
|
|
|
* will never apply at announcement time
|
|
|
* U - Unavailable
|
|
|
* hopefully we never end up here
|
|
|
* W - Workaround
|
|
|
* will never apply at announcement time (see below)
|
|
|
* T - Temporary Fix
|
|
|
* per the specification, if we describe a workaround then it qualifies as a Temporary Fix because it came from the "vendor" (us).
|
|
|
* We might use this in Operational Notifications where we aren't releasing patches.
|
|
|
* O - Official Fix
|
|
|
* This will generally be what we use at announcement time.
|
|
|
|
|
|
### Report Confidence (RC)
|
|
|
|
|
|
* X - Not Defined
|
|
|
* should never apply at announcement time
|
|
|
* C - Confirmed
|
|
|
* "or the author or vendor of the affected code has confirmed the presence of the vulnerability"
|
|
|
* unless we're going public with information we're not sure about, this is where we're going to be
|
|
|
* R - Reasonable
|
|
|
* We might use this if we're making an announcement based on reliable reports from something being actively exploited "in the wild" that we haven't yet diagnosed or directly observed
|
|
|
* U - Unknown
|
|
|
* We're unlikely to make a public announcement at this level of confidence, unless we're getting conflicting reports that we're unable to verify |
|
|
\ No newline at end of file |