csaf message

Subject: Re: [csaf] CVSS v2/v3 use in CVRF 1.2

From: Denny Page <denny@tibco.com>
To: Art Manion <amanion@cert.org>
Date: Tue, 18 Apr 2017 17:36:59 -0700

I am in general agreement with the concept of zero or one score for each CVSS version. However, to avoid revisiting this should a CVSS v4 appear, it might be simpler to say zero or one score for each CVSS version at or above v2.

On Wed, Apr 12, 2017 at 7:47 PM, Art Manion <amanion@cert.org> wrote:

Agreed. Thus, I'm proposing that CVRF 1.2 should allow zero or one CVSS
v2 score and zero or one CVSS v3 score.

A separate question remains: If there is a CVSS score, must it be v3
(and have an optional single v2 score)? My position is that the score
can be either v2 or v3 (or both).

Follow-Ups:
- Re: [csaf] CVSS v2/v3 use in CVRF 1.2
  - From: "Vincent Danen" <vdanen@redhat.com>

References:
- Re: [csaf] CVSS v2/v3 use in CVRF 1.2
  - From: "Mr. Stefan Hagen" <stefan@hagen.link>
- Re: [csaf] CVSS v2/v3 use in CVRF 1.2
  - From: Art Manion <amanion@cert.org>
- Re: [csaf] CVSS v2/v3 use in CVRF 1.2
  - From: "Vincent Danen" <vdanen@redhat.com>
- Re: [csaf] CVSS v2/v3 use in CVRF 1.2
  - From: Art Manion <amanion@cert.org>
- Re: [csaf] CVSS v2/v3 use in CVRF 1.2
  - From: "Vincent Danen" <vdanen@redhat.com>
- Re: [csaf] CVSS v2/v3 use in CVRF 1.2
  - From: Art Manion <amanion@cert.org>