[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [csaf] CVSS v2/v3 use in CVRF 1.2
On 4/5/17 4:29 PM, Booth, Harold (Fed) wrote: > While I do understand the thinking around requiring CVSS v3 in CVRF > 1.2, I see it as overly focusing on the single use case of describing > new vulnerabilities from this time forward and not taking into > account other use cases and usage models. For CERT/CC's use case -- attempting to evaluate internet-wide severity -- CVSSv2 is superior due to the way Environmental metrics are handled. Furthermore, CVSS has other issues, and I intend to bring up alternatives, or at least some sort of modular/container severity object, for CSAF/CVRF v.next. Regards, - Art
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]