Common IT Security Alert systems

While researching and looking at various IT security companies like F-Secure, ISS, McAfee or even companies like Microsoft, Oracle or other companies, there was one thing I noticed and felt very strongly about. Every company has their own ways to rate a particular threat or vulnerability. For example, Microsoft labels vulnerabilities, threats as Critical, Important, Moderate, etc; McAfee rates as high, medium, low, etc; ISS has different AlertCons (Alert Conditions) from 1 to 4. Although it means the same, but it takes some work to translate into a common understanding of levels. Here again every individual company have different transalations. No major problems in there.

But here's the major issue that I see. Every company rate a threat differently. For example for a vulnerability / threat, Microsoft may rate it as Important but, ISS may rate it as AlertCon 2, or McAfee might rate it as Low or Medium and some other company might rate it as something else. How do we as end users / companies understand the gravity. We again have to spend time analysing it and patching as necessary. Wouldn't it be great if there is a consortium to rate every threat at a common level. Although I admit that it won't be easy given the different operating environments every company has, but it won't be difficult is my take on it.

I am going to try and analyse some of the threats and vulnerabilities and try to rate them at a certain level and develop a standard around it so that it would be easy for all to relate to their enviroments. I will see how much time I can spend on this, as I also have to earn my livelihood. But moving forward, I aim to make security consulting and analysis as my primary occupation.

As always, comments and intents of contributions are welcome.