| Re: [open-regulatory-compliance] OSS wish list disclosure information - possible consideration for EU-CRA technical standards work |
On 2025-02-07 09:47:52 -0500 (-0500), Dick Brooks via open-regulatory-compliance wrote: [...] > * Severity - Give the actual > <https://www.first.org/cvss/calculator/3.0> CVSS calculator parameters you > used to arrive at the severity chosen so if someone wanted to, they could > plug them directly into the interface themselves and customize based on > their environment. A completely standalone/air-gapped machine is likely not > going to have to worry too much about a vulnerability or exposure that > relies on a network-based attack vector (so the threat is much less severe) [...] Bit of a pet peeve of mine, but for a lot of open source upstream vulnerability reporting, reliably arriving at a CVSS at all is next to impossible. It's really designed for products, not for components, so often can only be determined by the product vendors incorporating our projects. The projects I work on refuse to assign severities at all, but if pressed we would just score every vulnerability a 10 and urge everyone to patch as soon as possible. We don't want to be responsible for someone deciding not to apply a fix based on an inaccurate guess of ours about how vulnerable their environment is in the face of any particular flaw. -- Jeremy Stanley
Attachment:
signature.asc
Description: PGP signature