It's not really what you asked for, but you can report on vulnerabilities using their CVSS vector information.
This was described in one of the recent brownbag sessions; I think it was the most recent one.
Thanks J, not completely what i'm looking for but thanks fo the reply!
I did submit a FMR for this, however, I will still need to devise an interim fix...so all help is still appreciated!
I think the standardized metric most useful would be CVSS Impact type..
Example below using CVE-2011-2429 from NVD....
Vulnerability Summary for CVE-2011-2429
Original release date:09/22/2011
Adobe Flash Player before 10.3.183.10 on Windows, Mac OS X, Linux, and Solaris, and before 10.3.186.7 on Android, allows attackers to bypass intended access restrictions and obtain sensitive information via unspecified vectors, related to a "security control bypass
CVSS Severity (version 2.0):
CVSS v2 Base Score:5.0 (MEDIUM) (AV:N/AC:L/Au:N/C:P/I:N/A:N) (legend)
Impact Subscore: 2.9
Impact Type:Allows unauthorized disclosure of information
Message was edited by: john.m.sopp on 11/9/11 12:37:44 PM EST
For anyone else looking to do this, I created a homegrown method to categorize vulnerabilites into one or more of the following categories:
- System Compromise
- Elevation of Privilege
- Denial of service
- Unauthorized Information Disclosure
- Content Spoofing
- Session Hijacking
- Man in the middle attack
Send me a private message or email if you would like to know how.
System Compromise Elevation of Privilege Denial of service Unauthorized Information Disclosure Content Spoofing Session Hijacking Man in the middle attack Other