[cabf_netsec] Fwd: [cabforum/documents] NetSec: suggested CVSS updates (#156)

Dimitris Zacharopoulos (HARICA) dzacharo at harica.gr
Thu Jan 23 06:02:22 MST 2020


Please consider this at the next netsec meeting. If the subcommittee 
thinks this change is justified and is deemed non-controversial, it may 
consider adding it in an upcoming ballot.

Dimitris.


-------- Forwarded Message --------
Subject: 	[cabforum/documents] NetSec: suggested CVSS updates (#156)
Date: 	Wed, 22 Jan 2020 20:10:32 -0800
From: 	Josh Aas <notifications at github.com>
Reply-To: 	cabforum/documents 
<reply+ACAMQERW63ZULTTODINBF4N4GZHTREVBNHHCCBB4HA at reply.github.com>
To: 	cabforum/documents <documents at noreply.github.com>
CC: 	Subscribed <subscribed at noreply.github.com>



Passing this report/suggestion along from a community member.

Relating to the definition of "Critical Vulnerability":

 1. This link seems outdated:

http://nvd.nist.gov/home.cfm

Perhaps a better link would be:

https://nvd.nist.gov/vuln-metrics/cvss

This also has the advantage of being an https link.

 2. CVSS v3.0 defines critical as 9.0 or above. The NetSec guidelines
    currently say CVSS 7.0 or higher is critical. Should the NetSec
    guidelines be changed to define critical as 9.0, in line with the
    CVSS ratings, or is NetSec intentionally lowering the bar for what's
    considered critical to 7.0?

—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub 
<https://github.com/cabforum/documents/issues/156?email_source=notifications&email_token=ACAMQEQX2CTHV2N5EQBWAGDQ7EKDRA5CNFSM4KKQNHZKYY3PNVWWK3TUL52HS4DFUVEXG43VMWVGG33NNVSW45C7NFSM4IIEHQ4A>, 
or unsubscribe 
<https://github.com/notifications/unsubscribe-auth/ACAMQEQKD45WD5IRLJEATV3Q7EKDRANCNFSM4KKQNHZA>.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/netsec/attachments/20200123/dad936ea/attachment-0001.html>


More information about the Netsec mailing list