-
Notifications
You must be signed in to change notification settings - Fork 2
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Consider adopting new CVSS 4.0 for security vulnerability evaluation #312
Comments
@silverstripe/core-team Anyone got any thoughts on this? |
The natural answer is "yes", though I'm not sure what implications there would be for our security process Probably makes sense to move this our internal refinement column to put some AC's around doing a quick bit of research on what the implications are before making a decision |
No strong feelings on this. It seems like a good idea to move to the latest version, but would this have materially changed our response to any of the last few significant security issues? |
For the most part it looks like not a lot changes to be honest. There's a few more categories to fill out, and based on those in their typical examples it seems that the score is generally reduced by a bit. I'd say it would very slightly increase the workload to do the CVSS calculation in the first place, but not much more than that really. I don't see any need for us to back-compat and provide two CVSS values, just switch to using 4.0 exclusively. |
Currently we use the cvss v3 calculator when determining the severity of a security vulnerability.
CVSS 4.0 is now available. That link includes a FAQ, examples, and a calculator among other information.
We should probably adopt the new CVSS standard for evaluating the severity of vulnerabilities.
The text was updated successfully, but these errors were encountered: