Oh no, you're thinking, yet another cookie pop-up. Well, sorry, it's the law. We measure how many people read us, and ensure you see relevant ads, by storing cookies on your device. If you're cool with that, hit “Accept all Cookies”. For more info and to customize your settings, hit “Customize Settings”.

Review and manage your consent

Here's an overview of our use of cookies, similar technologies and how to manage them. You can also change your choices at any time, by hitting the “Your Consent Options” link on the site's footer.

Manage Cookie Preferences
  • These cookies are strictly necessary so that you can navigate the site as normal and use all features. Without these cookies we cannot provide you with the service that you expect.

  • These cookies are used to make advertising messages more relevant to you. They perform functions like preventing the same ad from continuously reappearing, ensuring that ads are properly displayed for advertisers, and in some cases selecting advertisements that are based on your interests.

  • These cookies collect information in aggregate form to help us understand how our websites are being used. They allow us to count visits and traffic sources so that we can measure and improve the performance of our sites. If people say no to these cookies, we do not know how many people have visited and we cannot monitor performance.

See also our Cookie policy and Privacy policy.

This article is more than 1 year old

Security's revamped index of pain readies for release

Comments sought on draft Common Vulnerability Scoring System 3.0 bug rating scheme

The great unwashed has been afforded an opportunity to comment on a new scheme for classifying the severity of infosec vulnerabilities issued by the National Institute of Standards and Technology.

The Common Vulnerability Scoring System (CVSS) is a pain-assessment index that offers a one-to-ten scale to describe vulnerabilities.

Scores range up to 10 with severities high graded 7 to 10, medium as 4 to 6.9, and low as 0 to 3.9.

The first version of the CVSS was launched in 2004. Work began on version three in 2012 and is expected to be completed this year.

Co-chair Max Heitman said in an update that developers and bug reporters should use the new scoring system now, but only publish scores using the old rating system.

"As with preview release 1, it is our hope that teams will fully utilize access to this preview and begin to produce CVSS v3.0 scores alongside whatever other scoring system they are using today," Heitman said.

"When the completed CVSS v3.0 standard is approved, organisations that have stored scores produced via CVSS v3.0 previews and can use that data to offer official CVSS v3.0 scoring data.

CVSS scores offer a handy way to priorities triage targets, more so now that the revised scoring system offers more granular insight into the exploitability of a bug, its remediation level, collateral damage, and confidence into the source of the vulnerability report.

The second preview of the new scheme updated the point of attack where a CVSS should be placed - at the point that security, integrity and availability was impacted - and explained how bugs touching multiple systems should be handled, among other improvements.

Preview documents can be downloaded and comments can be sent to the special interest group by emailing cvss-v3-comments@first.org before February 28. ®

Similar topics

TIP US OFF

Send us news


Other stories you might like