Wednesday, June 27, 2007

CVSS v2 is Out

By know everyone knows it, but CVSS v2 is out. What is not known by everyone is the sheer volume of debates, discussion, arguments that took place on a CVSS SIG list over the last few months. All this hides behind an innocuous line: "CVSS v2 represents the culmination of CVSS-SIG efforts to test, correct, and improve CVSS." No shit! :-) The SIG went thru countless revisions and discussion which did make the final CVSS v2 a solid vulnerability scoring standard.

Overall, CVSS rocks since it brings much needed "quantitativeness" to vulnerability space and helps kill the fuzzy "low/medium/high" that is indeed different for everyone ...

UPDATE: CVSS SIG team (including yours truly :-)) is listed here, if you are curious.


Anonymous said...

Very structured approach. But from where the magic numbers in equations came from?

Anton Chuvakin said...

Well, this is a good question actually; these numbers are actually "magic" numbers - they are there to make the curve "behave" and carry no direct significance.

Dr Anton Chuvakin