[
Date Prev][
Date Next][
Thread Prev][
Thread Next][
Date Index][
Thread Index]
[
List Home]
Re: [open-regulatory-compliance] OSS wish list disclosure information - possible consideration for EU-CRA technical standards work
|
On 2025-02-07 09:47:52 -0500 (-0500), Dick Brooks via open-regulatory-compliance wrote:
[...]
> * Severity - Give the actual
> <https://www.first.org/cvss/calculator/3.0> CVSS calculator parameters you
> used to arrive at the severity chosen so if someone wanted to, they could
> plug them directly into the interface themselves and customize based on
> their environment. A completely standalone/air-gapped machine is likely not
> going to have to worry too much about a vulnerability or exposure that
> relies on a network-based attack vector (so the threat is much less severe)
[...]
Bit of a pet peeve of mine, but for a lot of open source upstream
vulnerability reporting, reliably arriving at a CVSS at all is next
to impossible. It's really designed for products, not for
components, so often can only be determined by the product vendors
incorporating our projects. The projects I work on refuse to assign
severities at all, but if pressed we would just score every
vulnerability a 10 and urge everyone to patch as soon as possible.
We don't want to be responsible for someone deciding not to apply a
fix based on an inaccurate guess of ours about how vulnerable their
environment is in the face of any particular flaw.
--
Jeremy Stanley
Attachment:
signature.asc
Description: PGP signature