Re: Proposal: Use CVSS version 3, not version 2, in CII Best Practices measures

Kevin W. Wall

I have no objections, but how will moving from CVSSv2 to CVSSv3 affect things if NVD only has CVSSv2 scores available for the particular CVE? Would there be an expectation that we would need to deal with MITRE or maybe NIST to get them to assign a new CVSSv3 score? Because I don't even want to go there.

Blog:  |  Twitter:  @KevinWWall
NSA: All your crypto bit are belong to us.

On Mon, Nov 4, 2019, 09:04 David A. Wheeler <dwheeler@...> wrote:
A very few of our criteria mention CVSS (a method for estimating the risk from a vulnerability). For example, [dynamic_analysis_fixed] says this:
CRITERION: "All medium and high severity exploitable vulnerabilities discovered with dynamic code analysis MUST be fixed in a timely way after they are confirmed."
DETAILS: A vulnerability is medium to high severity if its CVSS 2.0 base score is 4. If you are not running dynamic code analysis and thus have not found any vulnerabilities in this way, choose "not applicable" (N/A).

I'd like to update from CVSS version 2 to version 3. CVSS version 3 has been around for a while, but we didn't use it because the NIST National Vulnerability Database (NVD) only provided version 2 data, and not version 3 data. However, NIST has since added support for version 3 & has supported it for a while. More info:

This should have no effect in practice. CVSS version 3 rates some vulnerabilities more risky than version 2 did (in particular, Heartbleed gets a higher risk score under version 3 compare to version 2). That said, if a project has that many vulnerabilities where the CVSS version change matters, that's a problem in itself.

If you think that's a bad idea, please let us know.  This is already an issue on GitHub:


--- David A. Wheeler

Join to automatically receive all group messages.