[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: CVSS Information in CVE Descriptions

On 5/16/18 1:18 PM, Art Manion wrote:
On 2018-05-16 13:00, Waltermire, David A. (Fed) wrote:

Since this information can also appear in a dedicated field in CVE 
feeds, this seems to be duplicative in nature. This is not a widely 
used practice yet. Is this a practice that board wants to 

CVSS scores, or ideally, just the vectors, should go in the appropriate 
CVSS field in the CVE format, and not in the description.  I am in 
favor of discouraging the practice.

I'd rather work towards:

1. A more comprehensive, standard set of fields for a vulnerability (or 
vulnerability report), such as the NIST VDO.

2. A standard CVE record that complies with #1 but that only requires 
the carefully selected minimum fields to achieve CVE mission:  
Vulnerability identification.  Severity, priority, CVSS or otherwise, 
are not needed for this mission and are extraneous and distracting.

CVSS as an optional field in a CVE record is fine, and users can 
currently grab that information from JSON files in git.  Maybe MITRE 
CVE or NVD would choose to expose CVSS and other optional data from CVE 

There is clearly a user need for #1, and people are happy enough to 
just treat a CVE record as a more comprehensive vulnerability record.

I'm reasonably happy to work on #2 before #1 and back-fit #1 if that is 
more practical.

  - Art

Page Last Updated or Reviewed: May 17, 2018