[ OWASP - Montreal ] Calculate or decide the risk of a vulnerability

Benoit Guerette benoit.guerette at gmail.com
Wed Dec 3 15:45:33 EST 2008

Using Nessus, you know exactly the CVSS value of a vulnerability.

But when you find something without a tool showing the CVSS, how to
you calculate or decide the level it is?

Example: "Information Leakage and Improper Error Handling" from OWASP
Top Ten, will you report High, medium or low?

I found a similar issue on
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2006-4899 where
the CVSS1 is 5.0 so medium...



More information about the Owasp-montreal mailing list