[Owasp-testing] CVSS v2

alberto cuevas beto.cuevas.v at gmail.com
Tue May 7 23:34:34 UTC 2013


Hello,

In the section 5.1 HOW TO VALUE THE REAL RISK in OWASP Testing Guide v3, notes :


"Ideally, there would be a universal risk rating system that would
accurately estimate all risks for all
organization. But a vulnerability that is critical to one organization may
not be very important to another.
So we're presenting a basic framework here that you should customize for
your organization. "

Whereby, the following questions came to mind:

- Is a good idea to use CVSS v2 to score pentest web results? (I think so
that temporal and environmental metrics can be produced diferentes ratings
which determines how critical the vulnerabilitie is for one or another
organization.)

- I read that CVSS v2 has some limitations for score combined
vulnerabilties, So, in case to sue CVSS v2 to score, Do exist some mode to
solve this issue?

I wonder if there are opinions on the ups and downs of using CVSS v2 to
rate the pentest web results. I appreciate in advance any help or
information you can give me.

Best Regards,

Beto
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-testing/attachments/20130507/5f76870d/attachment.html>


More information about the Owasp-testing mailing list