[Servercert-wg] Ballot SC39: Definition of Critical Vulnerability
Neil Dunbar
ndunbar at trustcorsystems.com
Wed Dec 9 10:44:50 UTC 2020
This begins the discussion period for Ballot SC39: Definition of
Critical Vulnerability
The following motion has been proposed by Neil Dunbar of TrustCor and
endorsed by Ben Wilson (Mozilla) and Corey Bonnel (DigiCert).
The NetSec discussion document for this ballot is attached to this email.
Purpose of Ballot:
It was brought to the attention of the NetSec Subgroup that the URL in
the NCSSRs which points to the definitions of the CVSS security scoring
system is no longer the appropriate one; moreover the definition of
“Critical Vulnerability” is no longer strictly correct by the
definitions currently posted by NIST.
Definitions of terms should always be consistent, especially when the
term is canonically defined by an external body; references should be
updated as and when they change on the canonical source.
-- MOTION BEGINS --
This ballot modifies the “Network and Certificate System Security
Requirements” based on Version 1.5.
Under the section “Definitions”:
Remove the current definition:
Critical Vulnerability: A system vulnerability that has a CVSS score of
7.0 or higher according to the NVD or an equivalent to such CVSS rating
(see http://nvd.nist.gov/home.cfm), or as otherwise designated as a
Critical Vulnerability by the CA or the CA/Browser Forum.
Insert a new definition:
Critical Vulnerability: A system vulnerability that has a CVSS v3.0
score of 9.0 or higher according to the NVD or an equivalent to such
CVSS rating (see https://nvd.nist.gov/vuln-metrics/cvss), or as
otherwise designated as a Critical Vulnerability by the CA or the
CA/Browser Forum.
-- MOTION ENDS --
* WARNING *: USE AT YOUR OWN RISK. THE REDLINE BELOW IS NOT THE OFFICIAL
VERSION OF THE CHANGES (CABF Bylaws, Section 2.4(a)):
A comparison of the changes can be found at:
https://github.com/cabforum/servercert/compare/8f63128...neildunbar:54c201f
This ballot proposes one Final Maintenance Guideline.
The procedure for approval of this ballot is as follows:
Discussion: (7+ days)
Start Time: 2020-12-09 17:00 UTC
End Time: not before 2020-12-16 17:00 UTC
Vote for approval (7 days)
Start Time: TBD
End Time: TBD
-------------- next part --------------
A non-text attachment was scrubbed...
Name: SC39 Ballot_ Critical Vulnerability Definitions.pdf
Type: application/pdf
Size: 65757 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/servercert-wg/attachments/20201209/9ce7fffe/attachment-0001.pdf>
More information about the Servercert-wg
mailing list