[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: CVSS v2/v3 use in CVRF 1.2
I'm going to try to summarize the discussion about the use of CVSS v2/v3, with the goal of creating a motion or voting position if needed. <https://issues.oasis-open.org/browse/CSAF-21?focusedCommentId=65728&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-65728> I read the above comment, but am still confused (it's me, not you Stefan), so I'm going to start with what I think should happen: A CVRF document contains 1 or more vulnerabilities A vulnerability contains 0 or 1 CVSSv2 scores A vulnerability contains 0 or 1 CVSSv3 scores CVSSv2 or v3 scores must follow CVSS rules and contain a complete set of Base vectors and score. Temporal, environmental (or modified base) are optional. I believe Feng's position is that if a vulnerability has a CVSS score, it must be CVSSv3 (or must have CVSSv3 and can optionally also include CVSSv2?). If a CVRF producer wants to use CVSSv2, they should use CVRF 1.1. - Art
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]