security_at_apache.org don't have specific guidance on this because
projects can choose to rate vulnerabilities using whatever system
works for them. However your comments are correct (for example Red
Hat now only rates CVSSv3 and has stopped CVSSv2 on new flaws since
this week), so it would be worth considering that transition.
Mark
On Wed, Jan 4, 2017 at 12:59 PM, Daniel Shahaf <danielsh_at_apache.org> wrote:
> We currently publish CVSSv2 scores for scoring security advisories.
>
> Since we started using CVSSv2, a revised standard, CVSSv3, has been
> released.
>
> Should we migrate to CVSSv3? I.e., start computing CVSSv3 scores for
> security advisories?
>
> ---
>
> Andreas reports distros downstream are migrating to CVSSv3 and would
> rather upstreams did, too.
>
> I don't have an opinion on this; I'm not familiar with the new standard.
>
> Cheers,
>
> Daniel
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: security-unsubscribe_at_apache.org
> For additional commands, e-mail: security-help_at_apache.org
>
Received on 2017-01-04 14:21:40 CET