Re: Proposal: Use CVSS version 3, not version 2, in CII Best Practices measures
David A. Wheeler
I have no objections, but how will moving from CVSSv2 to CVSSv3 affect things if NVD only has CVSSv2 scores available for the particular CVE? Would there be an expectation that we would need to deal with MITRE or maybe NIST to get them to assign a new CVSSv3 score? Because I don't even want to go there.Good point. I think that shouldn't be required, & it wasn't intended. I think we can solve that.
But first, I think I'm required to note that anyone can calculate a CVSS score.
NVD has a little calculator: https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator
FIRST does too: https://www.first.org/cvss/calculator/3.0 and https://www.first.org/cvss/calculator/3.1
That said, there's a judgement call on a few questions like "privileges required" that are used to do the calculation. In most cases that won't matter, but I imagine people would rather get some "official" ruling on them. There's also the issue that people want to just use someone's calculation instead of doing it themselves; nobody wants to fight over that stuff.
Your question about versioning & clarity also raises a few related issues (which I think can also be resolved):
1. I posted about "version 3", but I really meant the "latest version in the 3 series" which is actually 3.1. We really don't want to be changing the text every time a new CVSS edition comes out. Using "most recent published" should resolve it.
2. When I say “CVSS scores” I really just mean the *base* score. NVD does the same thing, they only use base scares (see https://nvd.nist.gov/vuln-metrics/cvss ). The “temporal score” varies by time, and the “environmental score” varies by environment, so neither are useful for our purposes. Most people just look at NVD score (and thus "do what was intended" anyway), but that should be clearer than it currently is.
The simple solution is to let people use the vulnerability's base CVSS value as (1) published in a widely-used vulnerability database with the most-recent version of CVSS for that vulnerability, or (2) calculated themselves using the current version of CVSS (with the calculation publicly revealed if the vulnerability is publicly known). That means projects might not always use the current version of CVSS, but that's okay. Over time the old values will become irrelevant (through aging out), without requiring a lot of unnecessary work.
CVSS isn't a be-all/end--all. I think of it more as a simple heuristic. Ideally projects would fix all vulnerabilities, but there are some "vulnerabilities" which are very low risk & in some cases it's debatable that they even *are* vulnerabilities. We're simply using CVSS as a mechanism to let projects focus on the "vulnerabilities that are more likely to matter".
--- David A. Wheeler