[Owasp-testing] CVSS v2
christian.heinrich at cmlh.id.au
Thu May 9 03:01:02 UTC 2013
CVSSv3 has been in active development since June 2012 (i.e. for almost a
year) and the intent is to address the lack of consideration of the "end
user", i.e. the "client" web browser and has been listed/recorded/minuted
by the CVSS-SIG as per
Since both CVSSv2 and CVSS(v1) consider the lifecycle of a vulnerability
(i.e. from discovery to the development of an exploit) it is *not*
comparable to a "traditional security issue rating system" such as AS/NZS
4360, which has been updated and released as an ISO standard in 2009 i.e.
On Wed, May 8, 2013 at 9:43 AM, Eoin <eoin.keary at owasp.org> wrote:
> CVSS pretty much is devoid of context.
> It does not consider client attacks IMHO. It's more of a traditional
> security issue rating system. PCI mapping to CVSS v2 for appsec is pretty
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Owasp-testing