[Owasp-testing] CVSS v2

Colin Watson colin.watson at owasp.org
Thu May 9 15:19:07 UTC 2013


Beto

You have received lots of great feedback from others on this list.

May I add some other aspects to consider:

- what purpose the "score" will be used for
- what will the "scores" be compared with?
- has some particular scoring method been used previously for this
application/business/company?
- ability for the target audience to understand it
- on whom is the impact being considered - we often assume "business
impact", but the impact on individuals, other parties and society may
also need to be considered?

Colin




On 8 May 2013 09:14, Colin Watson <colin.watson at owasp.org> wrote:
> Beto
>
> Your questions are very pertinent, and Eoin's reply is correct.
>
>> - Is a good idea to use CVSS v2 to score pentest web results? (I think so
>> that temporal and environmental metrics can be produced diferentes ratings
>> which determines how critical the vulnerabilitie is for one or another
>> organization.)
>
> I would avoid CVSS2 at all costs for application vulnerabilities if
> possible. Yes, people have been known to fiddle with the values to
> obtain the CVSS2 score they want. If anything other than the base
> score is presented, be suspicious. If the vector is not provided (it
> is a requirement), then be extremely suspicious.
>
>> - I read that CVSS v2 has some limitations for score combined
>> vulnerabilties, So, in case to sue CVSS v2 to score, Do exist some mode to
>> solve this issue?
>
> CVSS2 has no relevance at all to combinations of vulnerabilities.
>
> Also, the impact is measures against the target "system", and for many
> organisations things like data, reputation, human safety, share price,
> ethics are more important concerns. You need to determine the impact
> and likelihood for the particular application/organisation.
>
> Colin


More information about the Owasp-testing mailing list