Wednesday, June 27, 2007

CVSS v2 is Out

By know everyone knows it, but CVSS v2 is out. What is not known by everyone is the sheer volume of debates, discussion, arguments that took place on a CVSS SIG list over the last few months. All this hides behind an innocuous line: "CVSS v2 represents the culmination of CVSS-SIG efforts to test, correct, and improve CVSS." No shit! :-) The SIG went thru countless revisions and discussion which did make the final CVSS v2 a solid vulnerability scoring standard.

Overall, CVSS rocks since it brings much needed "quantitativeness" to vulnerability space and helps kill the fuzzy "low/medium/high" that is indeed different for everyone ...

UPDATE: CVSS SIG team (including yours truly :-)) is listed here, if you are curious.

Dr Anton Chuvakin