Re: Proposal: Use CVSS version 3, not version 2, in CII Best Practices measures
David A. Wheeler
Here's a pull request that tries to resolve the CVSS issues:
It's more text than I'd like, but my goal was to be 100% clear.
For example, instead of "medium or high" it was changed to
"medium or higher" (because we REALLY want critical vulnerabilities fixed!).
Below is the (simplified) diff of criterion vulnerabilities_fixed_60_days.
My goal was to be future-proof and precise.
CVSS is not a perfect system, but we just want a way to let projects
lower the priority of low-importance vulnerabilities, and for task that I
think it does okay.
--- David A. Wheeler
There MUST be no unpatched vulnerabilities of medium
- or high severity that have been publicly known for more
+ or higher severity that have been publicly known for more
than 60 days.
- A vulnerability
- is medium to high severity if its
- <a href="https://nvd.nist.gov/cvss.cfm">CVSS
- 2.0</a> base score is 4 or higher.
+ A vulnerability is considered medium or higher severity if its <a
+ >Common Vulnerability Scoring System (CVSS)</a>
+ base qualitative score is medium or higher.
+ In CVSS versions 2.0 through 3.1, this is
+ equivalent to a CVSS score of 4.0 or higher.
+ Projects may use the CVSS score
+ as published in a widely-used vulnerability database (such as the
+ <a href="https://nvd.nist.gov">National Vulnerability Database</a>)
+ using the most-recent version of CVSS reported in that database.
+ Projects may instead calculate the severity
+ themselves using the latest version of
+ <a href="https://www.first.org/cvss/">CVSS</a> at the time of
+ the vulnerability disclosure,
+ if the calculation inputs are publicly revealed once
+ the vulnerability is publicly known.