Why Exploitability is Key to Risk
Commentary: Even if it's not perfect, there's a lot to like about Microsoft's Exploitability Index.
Page 2 of 2
Mozilla foregoes the exploitability route
Earlier this year I asked Mozilla's chief security person, Window Snyder, if Mozilla would go the Exploitability Index route for reporting vulnerabilities. Snyder told me that Mozilla did consider it but ultimately determined that it was a factor that wasn't all that useful.
"We don't have a lot of evidence that Firefox users are being exploited," Snyder said.
Though Mozilla may feel confident that its users aren't being exploited, other vendors (Microsoft in particular) shouldn't be.
The simple fact is that users and Web sites are being exploited on a daily basis from myriad vulnerabilities. If vendors of all stripes could adopt an exploitability approach that clearly outlines risk based on whether or not an issue could be exploited – I think that the Web itself would be a safer place.
Sean Michael Kerner is a senior editor for InternetNews.com. His areas of coverage includes Linux, Open Source, Security, Application Development and Networking.