Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Clarify CVSS v2 and v3 capabilities #2047

Open
pandatix opened this issue Aug 27, 2023 · 1 comment
Open

Clarify CVSS v2 and v3 capabilities #2047

pandatix opened this issue Aug 27, 2023 · 1 comment
Labels
criteria-clarification

Comments

@pandatix
Copy link

Hey, SIG CVSS member and github.com/pandatix/go-cvss maintainer.

While looking at the vulnerabilities_fixed_60_days details I though there should be improvements.

A vulnerability is considered medium or higher severity if its Common Vulnerability Scoring System (CVSS) base qualitative score is medium or higher. In CVSS versions 2.0 through 3.1, this is equivalent to a CVSS score of 4.0 or higher.

This is partially invalid, as the rating capability came in CVSS v3.0 and remains since (in CVSS v4.0 the same scale will exist).
For CVSS v2, the concept of rating came from the NVD as part of their effort to publish and document vulnerabilities with a simple scale, but it as never been officially approved by the FIRST.ORG SIG CVSS.

I don't really know how to change those details, but think it would avoid invalid informations to spread around the community.

Best regards :)
@Desmond1976577
Copy link

R4

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
criteria-clarification
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@david-a-wheeler @pandatix @Desmond1976577