Mapping some CVSS vector elements to SSVC Technical Impact #195
Labels
Comments
Closed
ahouseholder
added
enhancement
ahouseholder
changed the title
ahouseholder
changed the title
|
We should adapt this for CVSS v4 at this point too. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
This is the calculator engineering aspects of #186
The document describes some equivalences or ways that CVSS vector string data can be used to inform SSVC decisions.
CVSSv3.1 is not ideal for this. See the discussion of CVSS in the md file
md_src_files/082_relatedSystems.mdor where that compiles in the PDF (# Related Vulnerability Management Systems).My suggested logic for the Impact Metrics from CVSSv3.1 is as follows:
IF Scope = Changed
do nothing
ELIF Scope = Unchanged
THEN IF Confidentiality = High AND Integrity = High
DO Technical Impact set to Total
ELSE
DO Technical Impact set to Partial
This is not a perfect mapping, but I think it is a good start.
Since it is not perfect, we will have to think about the User Experience aspect of this. How do we want to expose what the system is doing to the user? How do we give the user enough information about it that they can override the automation if they so desire?
The text was updated successfully, but these errors were encountered: