Skip to main content

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [open-regulatory-compliance] OSS wish list disclosure information - possible consideration for EU-CRA technical standards work

On 2025-02-07 09:47:52 -0500 (-0500), Dick Brooks via open-regulatory-compliance wrote:
[...]
> *	Severity - Give the actual
> <https://www.first.org/cvss/calculator/3.0> CVSS calculator parameters you
> used to arrive at the severity chosen so if someone wanted to, they could
> plug them directly into the interface themselves and customize based on
> their environment. A completely standalone/air-gapped machine is likely not
> going to have to worry too much about a vulnerability or exposure that
> relies on a network-based attack vector (so the threat is much less severe)
[...]

Bit of a pet peeve of mine, but for a lot of open source upstream
vulnerability reporting, reliably arriving at a CVSS at all is next
to impossible. It's really designed for products, not for
components, so often can only be determined by the product vendors
incorporating our projects. The projects I work on refuse to assign
severities at all, but if pressed we would just score every
vulnerability a 10 and urge everyone to patch as soon as possible.
We don't want to be responsible for someone deciding not to apply a
fix based on an inaccurate guess of ours about how vulnerable their
environment is in the face of any particular flaw.
-- 
Jeremy Stanley

Attachment: signature.asc
Description: PGP signature


Back to the top