undefined | Better HN

0 pointsjsploit5y ago0 comments

Do you disagree with the severity? I assess it to have a 6.5 (medium) CVSS score.

https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L...

0 comments

I realise it’s a medium on that scale and I cannot argue otherwise.

But I think how private that data is to the end user should also be taken into account. It’s a medium for technical risk (relative to server remote exec), but it should be seen as a high priority for the company and rewarded as such.

If an end user were to ask that company “why did you leak all my private data” their response would be “your data is worth less than $250 in human labour and is seen as a medium security risk”?

jsploitOP5y ago

The authenticated one-click social engineering aspect of this significantly lowers exploit probability and overall risk.

justsomeuser5y ago

This is true, but this attack could work in an Iframe in the background without that click. An attacker could buy a popular blog on the note taking app, and run the Iframe in the background collecting data for years. The bug was at least 5 years old.

tptacek5y ago

CVSS is a ouija board and you can make it say whatever you want, which is why very few practitioners take it seriously.

jsploitOP5y ago

Sure, some of it is open to interpretation, but I disagree with it not being taken seriously. This is the basis for CVEs, most bounty tables, and most audit reports (that I've seen).

tptacek5y ago

I'm a practitioner, I've managed bug bounties for several companies, and spent 15 of the last 20 years doing assessment work almost exclusively, and nobody takes CVSS seriously. It doesn't say anything to point out that some people structure "bounty tables" based on CVSS, because, as I said, it's a ouija board; the actual rules for what bugs are worth are still ad hoc, they're just used to determine the CVSS instead of the price directly. And that's not a super common practice!

CVSS scores are put into audit reports --- at the ouiji levels clients want --- to shut up the suits in compliance.

1 more reply

wglb5y ago

I've been in security for a while and once received a report of a CVSS score that was egregiously high at Critical.

I modified the assumptions that were made by the reporter and came out with Low.

This is one example of why this is a nonsense metric.

1 more reply

j / k navigate · click thread line to collapse

0 comments

justsomeuser5y ago

I realise it’s a medium on that scale and I cannot argue otherwise.

jsploitOP5y ago

The authenticated one-click social engineering aspect of this significantly lowers exploit probability and overall risk.

justsomeuser5y ago

tptacek5y ago

CVSS is a ouija board and you can make it say whatever you want, which is why very few practitioners take it seriously.

jsploitOP5y ago

Sure, some of it is open to interpretation, but I disagree with it not being taken seriously. This is the basis for CVEs, most bounty tables, and most audit reports (that I've seen).

tptacek5y ago

CVSS scores are put into audit reports --- at the ouiji levels clients want --- to shut up the suits in compliance.

1 more reply

wglb5y ago

I've been in security for a while and once received a report of a CVSS score that was egregiously high at Critical.

I modified the assumptions that were made by the reporter and came out with Low.

This is one example of why this is a nonsense metric.

1 more reply

j / k navigate · click thread line to collapse