|
|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
CVSS Information in CVE Descriptions
- To: "cve-editorial-board-list@imc.mitre.org" <cve-editorial-board-list@imc.mitre.org>
- Subject: CVSS Information in CVE Descriptions
- From: "Waltermire, David A. (Fed)" <david.waltermire@nist.gov>
- Date: Wed, 16 May 2018 17:00:46 +0000
- Accept-language: en-US
- Authentication-results: spf=fail (sender IP is 198.49.146.235) smtp.mailfrom=nist.gov; imc.mitre.org; dkim=pass (signature was verified) header.d=nistgov.onmicrosoft.com;imc.mitre.org; dmarc=fail action=none header.from=nist.gov;
- Authentication-results-original: spf=none (sender IP is ) smtp.mailfrom=david.waltermire@nist.gov;
- Delivery-date: Wed May 16 13:09:43 2018
- Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nistgov.onmicrosoft.com; s=selector1-nist-gov; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=85J0zd6etxlOBaxPubE9SWakxXlNiyo9yvNSP4XTvfg=; b=IB/mp64A651NGWCews8PYtRc/ArsP1Xk1d5ZKW7zITVvqSpXJLDYsWbg5UnPxE+tzlq6ycU+Bd5UgfgayJHpG2CDfjp0zh4dgVZ9kG0DF6P7MV325WoUKTG19WgZzV4x2LQRgb0L3bgmTrb+eFQpBDEV8mPHRb7VVR64drxYgMA=
- Spamdiagnosticmetadata: NSPM
- Spamdiagnosticoutput: 1:99
- Thread-index: AdPtNwveO80iQjiaQLu5bVGOlWqUXA==
- Thread-topic: CVSS Information in CVE Descriptions
There has been a recent trend in adding CVSS scores and vectors to the CVE description. The following are some examples. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2765 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8365 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8838 There are currently roughly 1293 entries in the NVD (https://nvd.nist.gov/vuln/search/results?form_type=Basic&results_type=overview&query=CVSS&queryType=phrase&search_type=all) that contain this information. IMHO, this practice goes beyond what is intended to be included in a textual description and has started to appear in entries over the last year or so. The current guidance on descriptions is here: https://cve.mitre.org/about/faqs.html#cve_entry_descriptions_created. Since this information can also appear in a dedicated field in CVE feeds, this seems to be duplicative in nature. This is not a widely used practice yet. Is this a practice that board wants to encourage/discourage? Regards, Dave David Waltermire Information Technology Laboratory | Computer Security Division National Institute of Standards and Technology
- Prev by Date: CVE Board Meeting Agenda – 16 May 2018, 2:00 - 4:00 PM
- Next by Date: Re: CVSS Information in CVE Descriptions
- Previous by thread: CVE Board Meeting Agenda – 16 May 2018, 2:00 - 4:00 PM
- Next by thread: Re: CVSS Information in CVE Descriptions
- Index(es):