How do you typically rate overall vulnerability severity of a network client not verifying server's SSL cert? (This is a poll.)
One argument for not hesitating to classify as high/critical: it's almost always a "minus-only" patch to fix.
-
-
So it's not like fixing it requires diverting resources from fixing other high/critical bugs.
-
I think it's not expected for ease of fixing to be factored into severity. That would make it priority, a different metric.
-
I didn't mean cost should be a factor, rather that if you're (wrongly) including it in some places, it doesn't make sense here.
End of conversation
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.