[VIM] Verified, confirmed, acknowledged, replicated... what?

security curmudgeon jericho at attrition.org
Tue Dec 6 02:05:45 EST 2005

: Does anybody have a terminology for how "proven" a vulnerability is?

I've thought about this in the past, and OSVDB uses one word consistantly, 
as part of our classification system:

Verified - Has been personally verified by a mangler, or acknowledged by 
the vendor

This feeds into the definition:

: "verify" is "to establish the truth, accuracy, or reality of"

Specifically the 'accuracy or reality' part. I believe that is why we 
selcted 'verified' over other words at the time.

: Maybe it's best to stay away from the overloaded terms altogether and 
: just say "replicate" - DUPLICATE, REPEAT, as in "replicate a statistical 
: experiment"

Definitions may disagree, but I don't like these words because they can 
easily mean that someone repeated or duplicated a flawed test, not 
verified a vulnerability.

If I set up a package, turn all the PHP options a certain way (the worst 
you can), change permissions on files and directories (the way I 
shouldn't), then report a vulnerability.. you can duplicate and repeat 
it, but you have not verified it is a vulnerability in the software 

More information about the VIM mailing list