Move from CVSS version 2.0 to version 3.0?

David A. Wheeler

I think we should switch from Common Vulnerability Scoring System (CVSS) version 2.0 to version 3.0 in the criteria.  Any objections?


We don’t need to do this quickly, but I’d like it to be in the queue.  If people have opinions on how fast we should do this, I’d like to know.  I want to be cautious about anything that would affect existing badge-holders, but I do not think this will affect any current badge-holders.


Details below.


--- David A. Wheeler


=== DETAILS ===


A very few of our criteria mention CVSS.  For example, [dynamic_analysis_fixed] says this:

CRITERION: “All medium and high severity exploitable vulnerabilities discovered with dynamic code analysis MUST be fixed in a timely way after they are confirmed.”

DETAILS: A vulnerability is medium to high severity if its CVSS 2.0 base score is 4. If you are not running dynamic code analysis and thus have not found any vulnerabilities in this way, choose "not applicable" (N/A).


CVSS version 3 has been around for a while, but we didn’t use it because the NIST National Vulnerability Database (NVD) only provided version 2 data, and not version 3 data.  However, NIST has since added support for version 3.  More info:


This should have little effect in practice.  CVSS version 3 rates some vulnerabilities more risky than version 2 did (in particular, Heartbleed gets a higher risk score under version 3 compare to version 2).  That said, if a project has that many vulnerabilities where the CVSS version change matters, that’s a problem in itself.