The Inner Circle

 View Only
  • 1.  NIST IR 8409 Measuring the Common Vulnerability Scoring System Base Score Equation Draft for Comment

    Posted 28 days ago
      |   view attached
    Hi All,

    NIST Releases Draft IR 8409: Measuring the Common Vulnerability Scoring System Base Score Equation

    Today, NIST is seeking public comments on NIST IR 8409 ipd (initial public draft), Measuring the Common Vulnerability Scoring System Base Score Equation.
    Calculating the severity of information technology vulnerabilities is important for prioritizing vulnerability remediation and helping to understand the risk of a vulnerability. The Common Vulnerability Scoring System (CVSS) is a widely used approach to evaluating properties that lead to a successful attack and the effects of a successful exploitation. CVSS is managed under the auspices of the Forum of Incident Response and Security Teams (FIRST) and is maintained by the CVSS Special Interest Group (SIG). Unfortunately, ground truth upon which to base the CVSS measurements has not been available. Thus, CVSS SIG incident response experts maintain the equations by leveraging CVSS SIG human expert opinion.

    This work evaluates the accuracy of the CVSS "base score" equations and shows that they represent the CVSS maintainers' expert opinion to the extent described by these measurements. NIST requests feedback on the approach, the significance of the results, and any CVSS measurements that should have been conducted but were not included within the initial scope of this work. Finally, NIST requests comments on sources of data that could provide ground truth for these types of measurements.
    The public comment review period for this draft is open through July 29, 2022. See the publication details for instructions on how to submit comments.

    ------------------------------
    Michael Roza CPA, CISA, CIA, MBA, Exec MBA
    ------------------------------


  • 2.  RE: NIST IR 8409 Measuring the Common Vulnerability Scoring System Base Score Equation Draft for Comment

    Posted 27 days ago
    Very interesting. But practically applying temporal scores in large list of vulnerabilities seems to be challenging. Need more effort from stakeholders in process of scoring. There is also concern as who should do it , is it product owners or security guys ?

    ------------------------------
    Sivakumar kathiresan
    Senior Product Security Architect
    Elekta
    ------------------------------



  • 3.  RE: NIST IR 8409 Measuring the Common Vulnerability Scoring System Base Score Equation Draft for Comment

    Posted 23 days ago
    No  worries us security cloud watches are always ready.  No matter rain or snow pandemic or Russian  invasion .   Keep up the good work live life to the fullest.

    ------------------------------
    christopher kruse
    President
    SBS Veterans Lookout
    ------------------------------