csaf message

Subject: Re: [csaf] CVSS v2/v3 use in CVRF 1.2

From: "Vincent Danen" <vdanen@redhat.com>
To: "Denny Page" <denny@tibco.com>
Date: Tue, 25 Apr 2017 13:55:53 -0600

On 04/18/2017, at 18:36 PM, Denny Page wrote:

I am in general agreement with the concept of zero or one score foreachCVSS version. However, to avoid revisiting this should a CVSS v4appear, itmight be simpler to say zero or one score for each CVSS version at orabove
v2.

Slow response here but yes, in agreement with this. It should beacceptable to have no scores, or for the industrious, to have everyscore.

On Wed, Apr 12, 2017 at 7:47 PM, Art Manion <amanion@cert.org> wrote:
Agreed. Thus, I'm proposing that CVRF 1.2 should allow zero or oneCVSS
v2 score and zero or one CVSS v3 score.

A separate question remains:  If there is a CVSS score, must it be v3
(and have an optional single v2 score)? My position is that thescore
can be either v2 or v3 (or both).



--
Vincent Danen / Red Hat Product Security

References:
- Re: [csaf] CVSS v2/v3 use in CVRF 1.2
  - From: "Mr. Stefan Hagen" <stefan@hagen.link>
- Re: [csaf] CVSS v2/v3 use in CVRF 1.2
  - From: Art Manion <amanion@cert.org>
- Re: [csaf] CVSS v2/v3 use in CVRF 1.2
  - From: "Vincent Danen" <vdanen@redhat.com>
- Re: [csaf] CVSS v2/v3 use in CVRF 1.2
  - From: Art Manion <amanion@cert.org>
- Re: [csaf] CVSS v2/v3 use in CVRF 1.2
  - From: "Vincent Danen" <vdanen@redhat.com>
- Re: [csaf] CVSS v2/v3 use in CVRF 1.2
  - From: Art Manion <amanion@cert.org>
- Re: [csaf] CVSS v2/v3 use in CVRF 1.2
  - From: Denny Page <denny@tibco.com>