Hi, I actually like the Mozilla and Chromium approach. Although browsers and web apps are not exactly the same, the principles seem to work. I like that they are guidelines only - and rely somewhat on the judgement on the person doing the analysis. That seems to work better than systems that try to be entirely objective. I can see the attraction of an objective system - I just have not yet found one that works as well as subjective judgement. CVSS was quite a disappointment, but based on other responses to the poll I have got one of our guys looking at DREAD. https://wiki.mozilla.org/Security_Severity_Ratings https://sites.google.com/a/chromium.org/dev/developers/severity-guidelines Paul -- Pentest - The Application Security Specialists Paul Johnston - IT Security Consultant / Tiger SST PenTest Limited - ISO 9001 (44/100/107029) / ISO 27001 (IS 558982) Office: +44 (0) 161 233 0100 Mobile: +44 (0) 7817 219 072 Email policy: http://www.pentest.co.uk/legal.shtml#emailpolicy Registered Number: 4217114 England & Wales Registered Office: 26a The Downs, Altrincham, Cheshire, WA14 2PU, UK