[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: CVSSv2 → CVSSv3?

From: Mark Cox <mjc_at_apache.org>
Date: Wed, 4 Jan 2017 13:21:37 +0000

security_at_apache.org don't have specific guidance on this because
projects can choose to rate vulnerabilities using whatever system
works for them. However your comments are correct (for example Red
Hat now only rates CVSSv3 and has stopped CVSSv2 on new flaws since
this week), so it would be worth considering that transition.

Mark

On Wed, Jan 4, 2017 at 12:59 PM, Daniel Shahaf <danielsh_at_apache.org> wrote:
> We currently publish CVSSv2 scores for scoring security advisories.
>
> Since we started using CVSSv2, a revised standard, CVSSv3, has been
> released.
>
> Should we migrate to CVSSv3? I.e., start computing CVSSv3 scores for
> security advisories?
>
> ---
>
> Andreas reports distros downstream are migrating to CVSSv3 and would
> rather upstreams did, too.
>
> I don't have an opinion on this; I'm not familiar with the new standard.
>
> Cheers,
>
> Daniel
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: security-unsubscribe_at_apache.org
> For additional commands, e-mail: security-help_at_apache.org
>
Received on 2017-01-04 14:21:40 CET

This is an archived mail posted to the Subversion Dev mailing list.