Page History
...
The possibility also exists that someone could be sending you reports to waste your time, or erroneously believes the report is much more serious than your analysis suggests. Not all reports you receive warrant your attention. It is usually reasonable to decline reports if you provide the reporter with a summary of your analysis and the ability to appeal (presumably by providing the needed clarifying information).
Reporters should review Section 4.2 to ensure the report contains enough details for the recipient to verify and reproduce a vulnerability. Be as specific as you can. Vendors that follow up with questions are doing the right thing, and attempting to validate your report; be friendly and courteous and attempt to provide as much detail and help as you can.
Triage Heuristics
...
Even
...
for
...
the
...
reports
...
a
...
vendor
...
accepts
...
as
...
legitimate
...
and
...
worthwhile,
...
it
...
is
...
likely
...
that
...
the
...
development
...
team
...
does
...
not
...
have
...
time
...
to
...
address
...
every
...
report
...
at
...
the
...
moment
...
it
...
arrives.
...
Thus,
...
if
...
a
...
report
...
is
...
found
...
to
...
be
...
valid,
...
the
...
next
...
question
...
is
...
how
...
to
...
allocate
...
resources
...
to
...
the
...
report.
...
Most
...
often
...
this
...
requires
...
some
...
measure
...
of
...
how
...
severe
...
the
...
vulnerability
...
is.
...
In
...
some
...
scenarios,
...
the
...
vulnerability
...
may
...
be
...
a
...
critical
...
flaw
...
that
...
requires
...
immediate
...
action,
...
while
...
other
...
cases
...
might
...
indicate
...
a
...
very
...
rare
...
and
...
hard-to-exploit
...
vulnerability
...
that
...
should
...
be
...
given
...
a
...
low
...
priority.
...
There
...
are
...
a
...
number
...
of
...
heuristics
...
for
...
evaluating
...
the
...
severity
...
of
...
vulnerabilities.
...
Perhaps
...
the
...
most
...
commonly
...
known
...
of
...
these
...
is
...
the
...
Common
...
Vulnerability
...
Scoring
...
System
...
(CVSS)
...
[1].
...
This
...
system
...
allows
...
a
...
short
...
standard
...
description
...
of
...
the
...
impact
...
of
...
a
...
vulnerability
...
and
...
can
...
be
...
mapped
...
to
...
a
...
score
...
between
...
1.0
...
and
...
10.0
...
to
...
help
...
prioritization.
...
A
...
related
...
but
...
different
...
metric
...
is
...
the
...
Common
...
Weakness
...
Scoring
...
System
...
(CWSS)
...
[2].
...
Whereas
...
CVSS
...
addresses
...
the
...
detailed
...
impact
...
of
...
a
...
specific
...
vulnerability,
...
CWSS
...
can
...
be
...
used
...
to
...
evaluate
...
the
...
impact
...
of
...
a
...
class
...
of
...
weaknesses.
...
While
...
scoring
...
systems
...
like
...
CVSS
...
and
...
CWSS
...
can
...
be
...
useful
...
at
...
establishing
...
relative
...
severity
...
among
...
reports,
...
care
...
must
...
be
...
taken
...
in
...
their
...
use
...
since
...
scores
...
do
...
not
...
always
...
map
...
well
...
onto
...
a
...
vendor's
...
or
...
deployer's
...
priorities.
...
Vendors
...
should
...
ensure
...
their
...
analysts
...
are
...
trained
...
in
...
the
...
chosen
...
heuristic
...
and
...
understand
...
its
...
strengths
...
and
...
weaknesses
...
so
...
that
...
its
...
result
...
can
...
be
...
overridden
...
when
...
necessary.
...
We
...
do
...
not,
...
for
...
example,
...
recommend
...
blind
...
adherence
...
to
...
hard
...
cutoffs
...
such
...
as
...
"We
...
only
...
bother
...
with
...
reports
...
that
...
have
...
a
...
CVSS
...
score
...
greater
...
than
...
7.0."
...
No
...
vulnerability
...
scoring
...
system
...
is
...
so
...
precise.
...
Ideally,
...
whatever
...
prioritization
...
scheme
...
is
...
used
...
should
...
also
...
be
...
made
...
transparent
...
to
...
reporters
...
so
...
that
...
the
...
process
...
is
...
understood
...
by
...
all
...
stakeholders.
...
Transparency
...
in
...
this
...
part
...
of
...
the
...
process
...
can
...
help
...
prevent
...
frustration
...
and
...
confusion
...
when
...
reporter
...
and
...
vendor
...
disagree
...
on
...
severity
...
of
...
a
...
vulnerability.
References
- FIRST, "Common Vulnerability Scoring System," [Online]. Available: https://www.first.org/cvss. [Accessed 17 May 2017].
- MITRE, "Common Weakness Scoring System (CWSS) version 1.0.1," 5 September 2014. [Online]. Available: https://cwe.mitre.org/cwss/cwss_v1.0.1.html. [Accessed 17 May 2017].
Overview
Content Tools