csaf message

Subject: Re: [csaf] CVSS v2/v3 use in CVRF 1.2

From: Art Manion <amanion@cert.org>
To: Vincent Danen <vdanen@redhat.com>
Date: Wed, 12 Apr 2017 22:47:15 -0400

On 2017-04-12 14:35, Vincent Danen wrote:

> This is something we probably want to look at for CSAF 2.0, not CVRF 
> 1.2.  I don't think it can be resolved easily.  You could have 12 
> different CVSSv2 scores right now but it's almost pointless if you can't 
> map that back to a particular product or scenario.

Agreed.  Thus, I'm proposing that CVRF 1.2 should allow zero or one CVSS
v2 score and zero or one CVSS v3 score.

A separate question remains:  If there is a CVSS score, must it be v3
(and have an optional single v2 score)?  My position is that the score
can be either v2 or v3 (or both).

 - Art

Follow-Ups:
- Re: [csaf] CVSS v2/v3 use in CVRF 1.2
  - From: Denny Page <denny@tibco.com>
- Re: Re: [csaf] CVSS v2/v3 use in CVRF 1.2
  - From: Masato <masato.terada.rd@hitachi.com>

References:
- Re: [csaf] CVSS v2/v3 use in CVRF 1.2
  - From: "Mr. Stefan Hagen" <stefan@hagen.link>
- Re: [csaf] CVSS v2/v3 use in CVRF 1.2
  - From: Art Manion <amanion@cert.org>
- Re: [csaf] CVSS v2/v3 use in CVRF 1.2
  - From: "Vincent Danen" <vdanen@redhat.com>
- Re: [csaf] CVSS v2/v3 use in CVRF 1.2
  - From: Art Manion <amanion@cert.org>
- Re: [csaf] CVSS v2/v3 use in CVRF 1.2
  - From: "Vincent Danen" <vdanen@redhat.com>