[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [csaf] CVSS v2/v3 use in CVRF 1.2
On 2017-04-12 14:35, Vincent Danen wrote: > This is something we probably want to look at for CSAF 2.0, not CVRF > 1.2. I don't think it can be resolved easily. You could have 12 > different CVSSv2 scores right now but it's almost pointless if you can't > map that back to a particular product or scenario. Agreed. Thus, I'm proposing that CVRF 1.2 should allow zero or one CVSS v2 score and zero or one CVSS v3 score. A separate question remains: If there is a CVSS score, must it be v3 (and have an optional single v2 score)? My position is that the score can be either v2 or v3 (or both). - Art
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]