csaf message

Subject: Re: [csaf] CVSS v2/v3 use in CVRF 1.2

From: Art Manion <amanion@cert.org>
To: "Booth, Harold (Fed)" <harold.booth@nist.gov>, Vincent Danen <vdanen@redhat.com>
Date: Wed, 5 Apr 2017 16:54:10 -0400

On 4/5/17 4:29 PM, Booth, Harold (Fed) wrote:

> While I do understand the thinking around requiring CVSS v3 in CVRF
> 1.2, I see it as overly focusing on the single use case of describing
> new vulnerabilities from this time forward and not taking into
> account other use cases and usage models.

For CERT/CC's use case -- attempting to evaluate internet-wide severity
-- CVSSv2 is superior due to the way Environmental metrics are handled.

Furthermore, CVSS has other issues, and I intend to bring up
alternatives, or at least some sort of modular/container severity
object, for CSAF/CVRF v.next.

Regards,

 - Art

References:
- Re: [csaf] CVSS v2/v3 use in CVRF 1.2
  - From: "Mr. Stefan Hagen" <stefan@hagen.link>
- Re: [csaf] CVSS v2/v3 use in CVRF 1.2
  - From: Art Manion <amanion@cert.org>
- Re: [csaf] CVSS v2/v3 use in CVRF 1.2
  - From: "Vincent Danen" <vdanen@redhat.com>
- RE: [csaf] CVSS v2/v3 use in CVRF 1.2
  - From: "Booth, Harold (Fed)" <harold.booth@nist.gov>