[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [csaf] CVSS v2/v3 use in CVRF 1.2
On 05/04/17 04:06, Art Manion wrote: > On 2017-04-04 15:31, Mr. Stefan Hagen wrote: > >> I move, that the chair of the TC shall request a ballot for a full >> majority vote from administration with the ballot question: "Every >> vuln:CVSSScoreSets element if present MUST contain zero or more >> CVSSScoreSetV2 and one or more CVSSScoreSetV3 elements" offering the >> answers "yes", "no", and "abstain". > > Assuming discussion is allowed at this point... > > How can a vuln:CVSSScoreSets element have more than one CVSSScoreSet? > This means a vulnerability can have two or more CVSS scores? Can anyone > provide a use case/example? Sure, very simple (but I also had to dig coming from far away ...): There is this ProductID element in the set of a ScoreSetVx ... so if I envision a monthly security patch advisory with approx. 100k lines of XML targeting the many platforms and products aggregated by the changes accumulated in a month and not by a specific vulnerability or product, this comes in quite handy. All the best, Stefan.
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]