David A. Wheeler
On Thu, 10 Jan 2019, Daniel Heckenberg wrote:
A very specific CII badge aspect is that detection and timely remedy of CVSSDaniel Stenberg:
I don't know about "usually", but I can tell you how we do it in curl (which incidentally also matches what I see in several other C/C++ projects).I think that is the usual case. Use tools & tests so potential problems can be found & fixed before release. Since they aren't in a release, those normally potential problems do not normally get CVSS scores. Nowadays people often make continuous changes to a git master branch, and then use various ways to release it (put in in a package manager distro, tag it, and/or merge it into a production branch).
If a vulnerability is found in a *released* version of the software, organizations like NIST typically do the CVSS scoring for you. You can also calculate the CVSS score yourself, the CVSS base score is easy to figure out. The reason the criteria use the CVSS score is to ensure that at least the *important* vulnerabilities get fixed relatively quickly once they are known publicly, to reduce the risk to people using that software.
One point that may not be obvious: tool findings are not necessarily vulnerabilities. Many tools are based on heuristics, and they do not "know" the larger environment & expectations.
Hope that helps!
--- David A. Wheeler