Jump to content

Talk:Vulnerability (computer security)

Page contents not supported in other languages.
From Wikipedia, the free encyclopedia
This is an old revision of this page, as edited by Dman727 (talk | contribs) at 03:06, 21 March 2007. The present address (URL) is a permanent link to this revision, which may differ significantly from the current revision.

I think this is a good idea -- the Software security vulnerability article can be used as part of the Vulnerability article.


I am curious, doesn't vulnerability need to say that its "vulnerable to" something? for example, we don't say that "New Orleans is vulnerable." We might say that "New Orleans has a high vulnerability to a Force 5 hurricane" but could we just say that the "New Orleans Levees have high vulnerabilities to hurricanes" I don't think so since they really were only vulnerable to level 5 and higher. There needs to be a force against. Or a Threat... in fact more specifically, there needs to be a specific amount of threat. Like FORCE 5 hurricanes. In computing, vendors have erroneously stated that a server has a high vulnerability... but often without regard to what amount threat. My server has almost no vulnerabilities if my threat agent is a four-year-old girl. But a skilled, malicious hacker sponsored by a terrorist state might make Swiss cheese of my server. Did my vulnerability just change based on the threat agent's capabilities? I think it did. Maybe we should consider adding something that states that vendors of security products typically over-generalize the acting threat agents... or do they even consider them?

Disclosure

I think the section on full disclosure starts out good, showing a balanced view of the topic, but then takes a biased point of view, I myself am generally considered an expert in the security arena that the public listens to and I don't fully agree with full disclosure, its a complicated issue, it should be discussed by all means but the sentence that reads "From the security perspective, only a free and public disclosure can ensure that all interested parties get the relevant information. Security through obscurity is a concept that most experts consider unreliable." onward takes a biased view point on the issue, there are pros and cons to both sides and wikipedia shouldnt be taking sides on this or any contravercial issue --Michael Lynn 23:39, 20 March 2007 (UTC)[reply]

I agree. Disclosure methods are controversial, prone to bias viewpoints and will proably stay that way for the foreseeable future. I moved that section from its original place in the article (where it didnt belong at all imo) and made a minor change to reduce some of the bias but I think it needs to be completely reworked. What might work is to have a para on different methods of disclosure (i.e. full disclosure, "responsible disclosure", "pre disclosure etc)"). Even then that can be tricky to write without bias (ex: what is "responsible disclosure"). Dman727 03:05, 21 March 2007 (UTC)[reply]
Retrieved from "https://en.wikipedia.org/w/index.php?title=Talk:Vulnerability_(computer_security)&oldid=116695010"