> I wanted to suggest that when notifying of new vulnerabilities, in addition to the severity level, information is also provided about how widespread the issue is expected to be. > > For example, the statement might say "this high severity bug is expected to affect around 70% of cases?, or for CVE-2015-1788 it would presumably state ?around 1%? as it affects only client-side uses. > > This would help OpenSSL users gauge whether the upcoming vulnerability is ?heartbleed?-level, or less serious/widespread. Currently a wide variety of vulnerabilities are just indicated as ?high? severity, which could mean anything from a relatively minor DoS affecting 5 implementations to MITM affecting all servers/browsers. > Wide-spread-ness is an interesting factoid, but I kind of feel like its not really relevant. OpenSSL is kind of ubiquitous, so adverse events are kind of widespread by definition. I've worked in Risk as a Security Architect. An organization has a risk posture, and they will choose to remediate a vulnerability that applies to them; or they will choose to do nothing and accept the risk. An organization will also assess their partners, and ensure compatible security postures as a matter of governance. If their partner is deficient, then they will have to address that risk too or do nothing and accept the risk. The monoculture based on OpenSSL's success is a hindrance, too. Its kind of like a genome that's lost its genetic diversification. A interesting talk about it is Dan Geer's "Heartbleed as Metaphor", http://www.lawfareblog.com/heartbleed-metaphor. Jeff
