Versions Compared

Old Version 5

changes.mady.by.user user-f8986

Saved on

compared with

New Version 6

changes.mady.by.user user-5e993

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Even for the reports a vendor accepts as legitimate and worthwhile, it is likely that the development team does not have time to address every report at the moment it arrives. Thus, if a report is found to be valid, the next question is how to allocate resources to the report. Most often this requires some measure of how severe the vulnerability is. In some scenarios, the vulnerability may be a critical flaw that requires immediate action, while other cases might indicate a very rare and hard-to-exploit vulnerability that should be given a low priority.

There are a number of heuristics for evaluating the severity of vulnerabilities. Perhaps the most commonly known of these is the Common Vulnerability Scoring System (CVSS) [1]. This system allows a short standard description of the impact of a vulnerability and can be mapped to a score between 1.0 and 10.0 to help prioritization. A related but different metric is the Common Weakness Scoring System (CWSS) [2]. Whereas CVSS addresses the detailed impact of a specific vulnerability, CWSS can be used to evaluate the impact of a class of weaknesses. While scoring systems like CVSS and CWSS can be useful at establishing relative severity among reports, care must be taken in their use since scores do not always map well onto a vendor's or deployer's priorities.

Vendors should ensure their analysts are trained in the chosen heuristic and understand its strengths and weaknesses so that its result can be overridden when necessary. We do not, for example, recommend blind adherence to hard cutoffs such as "We only bother with reports that have a CVSS score greater than 7.0." No vulnerability scoring system is so precise. Ideally, whatever prioritization scheme is used should also be made transparent to reporters so that the process is understood by all stakeholders. Transparency in this part of the process can help prevent frustration and confusion when reporter and vendor disagree on severity of a vulnerability.



Panel
borderStylesolid

< 4.2 Reporting | 4.4 Remediation >


References

  1. FIRST, "Common Vulnerability Scoring System," [Online]. Available: https://www.first.org/cvss. [Accessed 17 May 2017].
  2. MITRE, "Common Weakness Scoring System (CWSS) version 1.0.1," 5 September 2014. [Online]. Available: https://cwe.mitre.org/cwss/cwss_v1.0.1.html. [Accessed 17 May 2017].