Comments (4)
In other words, we need a way to encode the adjective "potential" often used in CVE descriptions. Rather than a "level of confidence", I see it as a binary "based on facts, claims or theory" vs "facts unknown, not enough information or based on assumptions".
from automation-working-group.
Is this not encoded in CVSS 2/3 temporal scores? Or is CVSS out of scope here?
from automation-working-group.
@mydimension you are correct: CVSS does have a metric to indicate confidence:
https://www.first.org/cvss/specification-document#3-3-Report-Confidence-RC
However this does not let us indicate which particular metric values are based on facts and which are assumptions. If something is unknown, CVSS guidelines suggest to assume either the worst case scenario or the most likely scenario.
Take an example where a researcher finds a file with hex encoded ascii text accessible without password on the web interface of a black box product. If that text is an administrative password or a session id, CVSS score can be 10. If it is some insignificant input leftover from a test, CVSS
score can be zero. To start with, the right thing to do here is to give it high score assuming the worst and respond to it with high priority. Here it may be worthwhile to make a note that there are unknowns which if clarified could change the score. While scoring this issue we know for sure AV =N, AC=L, PR=N, UI=N, but there is not enough information to determine S, C, I, A.
from automation-working-group.
Makes sense, and thanks for the explanation. Just wasn't sure if it was a redundant effort.
from automation-working-group.
Related Issues (20)
- Change references of ISO 8601 to RFC 3339 HOT 1
- test and present CVE clients HOT 3
- Why are CVE list entries not conforming to any specified schema? HOT 4
- original assigner vs. owner HOT 7
- Does an ADP content update the date for the CVE record? HOT 1
- Validate and warn if datePublic is in the future HOT 3
- Clarify date fields in JSON 5.0 schema HOT 2
- Three dateUpdated fields, all set by Services HOT 2
- Clarify how non-ASCII email addresses should be handled HOT 1
- Restricting email address TLDs HOT 1
- Document How to Join AWG
- "efficient management of the CVE Program. " but maybe also "efficient consumption"? HOT 1
- Under objectives what about self serve/parent serve and to what degree? HOT 1
- "Ensure backwards compatibility" HOT 1
- version_value "-" HOT 2
- Validating JSON issues and future HOT 1
- ID Allocation should be able to provide IDs for previous years HOT 1
- [Bug] Missing product_name in CVE JSON 5.0 Review Conversion Set HOT 1
- [Bug/Discussion] Migrate additional version_data properties to CVE JSON 5.0 HOT 3
- [Question/Discussion] Separate attributes for different CVE states in JSON schema (v5.13) HOT 3
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from automation-working-group.