[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [csaf] CVSS v2/v3 use in CVRF 1.2
On 04/18/2017, at 18:36 PM, Denny Page wrote:
I am in general agreement with the concept of zero or one score for each CVSS version. However, to avoid revisiting this should a CVSS v4 appear, it might be simpler to say zero or one score for each CVSS version at or abovev2.
Slow response here but yes, in agreement with this. It should be acceptable to have no scores, or for the industrious, to have every score.
On Wed, Apr 12, 2017 at 7:47 PM, Art Manion <amanion@cert.org> wrote:Agreed. Thus, I'm proposing that CVRF 1.2 should allow zero or one CVSSv2 score and zero or one CVSS v3 score. A separate question remains: If there is a CVSS score, must it be v3(and have an optional single v2 score)? My position is that the scorecan be either v2 or v3 (or both).
-- Vincent Danen / Red Hat Product Security
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]