Update the open/closed “tickets” CSVs that accompany the Cybex Scorecard

[chelsgr]

Summary

In support of BOD 22-01 requirements changes, CyHy has requested the following changes to tickets that accompany the Cybex Scorecard:

Objectives

1. Instead of open-criticals, open-highs, closed-criticals, closed-highs, only send two CSVs: open-urgent and closed-urgent. Take this approach if this is possible/easier than the alternative of sending two new spreadsheets for open-KEVs and closed-KEVs.
2. Take existing layout of CSVs that are mailed separately from the scorecard, and add two columns: one denoting severity (i.e. low, medium, high, critical), and the other denoting “known exploited” (true/false).

Note: CyHy is not requesting updates to the Cybex Scorecard PDF as part of this effort.

[felddy]

So if the known_exploitable column is false, does that mean that this vulnerability is not exploitable?

There is a big difference between known exploitable and known exploited, the latter being defined in BOD 22-01, and the former being very broad and undefined.

CISA will determine vulnerabilities warranting inclusion in the catalog based on reliable evidence that the exploit is being actively used to exploit public or private organizations by a threat actor.

https://www.cisa.gov/binding-operational-directive-22-01

[chelsgr]

Referencing #29 (comment), you are correct the language used in all instances should be "known exploited", not "known exploitable".

[chelsgr]

Regarding our question on which CSVs are requested for update, CyHy team provided this response: "only the CSVs mailed separately from the scorecard for now, not changing those within." Updated above.

[dav3r]

Resolved via:

• Support "urgent tickets" queries ncats-webd#27
• Send "urgent tickets" CSVs cyhy-mailer#92
• BOD 22-01 / KEV changes cyhy-reports#72