In your recent post to the cypherpunks mailing list you proposed a taxonomy of security weaknesses and vulnerabilities, adding that these may be perhaps categorized and ranked. Standard practice in the computer and communications security business has for many years been based on the idea of risk analysis. More or less systemmatic approaches to risk analysis have been put forward over the years. One example is FIPS Pub 65 which attempted to systematize risk analysis and ideally lead one to a quantified level of risk at the end. The method was too burdensome to be effective, and most people today use a more qualitative approach. The whole idea of categorizing or ranking holes and vulnerabilities ab intitio, outside of their contextual application to a real system is not very helpful. Systems vary so widely in their criticalities, sensitivities, costs, etc., that each of your pre-defined categorized weaknesses would have to be rejudged - in the context of the system being analyzed - to determine how, and to what extent it could effect the system. For example, a system with a weakness in logging events would be a disaster in a busy commercial transactional system that may need logs to recover from errors or to trace mischievious actions. Another system, however, may find the lack of effective logging an inconvenience at worst (maybe even a plus, if the Pennsylvania cops are at the door). The standard approach as I understand it is to analyze the system against all the known vulnerabilities and attempt to measure (maybe only qualitatively) the risks associated with the vulnerabilities. I think analyzing holes by themselves, outside of any context, is a good academic exercise, and may lead to useful knowledge that people analyzing real systems can use, but it is not an advantage to attempt to grade them in the abstract. -- PJ you'll probably get lots more useful advice from others more articulate than I, but I hadn't posted to the list in awhile and am curious about how all these bounce messages everyone is talking about. Are there lots others besides the guy with 1000 messages in his mailbox? I guesss I'll see.....