By know everyone knows it, but CVSS v2 is out. What is not known by everyone is the sheer volume of debates, discussion, arguments that took place on a CVSS SIG list over the last few months. All this hides behind an innocuous line: "CVSS v2 represents the culmination of CVSS-SIG efforts to test, correct, and improve CVSS." No shit! :-) The SIG went thru countless revisions and discussion which did make the final CVSS v2 a solid vulnerability scoring standard.
Overall, CVSS rocks since it brings much needed "quantitativeness" to vulnerability space and helps kill the fuzzy "low/medium/high" that is indeed different for everyone ...
UPDATE: CVSS SIG team (including yours truly :-)) is listed here, if you are curious.
2 comments:
Very structured approach. But from where the magic numbers in equations came from?
Well, this is a good question actually; these numbers are actually "magic" numbers - they are there to make the curve "behave" and carry no direct significance.
Post a Comment