2. Anti-Trust Policy Notice
● Linux Foundation meetings involve participation by industry competitors, and it is the
intention of the Linux Foundation to conduct all of its activities in accordance with
applicable antitrust and competition laws. It is therefore extremely important that
attendees adhere to meeting agendas, and be aware of, and not participate in, any
activities that are prohibited under applicable US state, federal or foreign antitrust and
competition laws.
● Examples of types of actions that are prohibited at Linux Foundation meetings and in
connection with Linux Foundation activities are described in the Linux Foundation
Antitrust Policy available at http://www.linuxfoundation.org/antitrust-policy. If you have
questions about these matters, please contact your company counsel, or if you are a
member of the Linux Foundation, feel free to contact Andrew Updegrove of the firm of
Gesmer Updegrove LLP, which provides legal counsel to the Linux Foundation.
3. Currently used
in NVD
CVSS What?
● CVSS = Common Vulnerability Scoring System
● Specification by first.org: https://www.first.org/cvss/
○ CVSS v1.0 was provided around 2005
○ CVSS v2.0 launched in 2007
○ CVSS v3.0 released 2015
○ CVSS v3.1 minor update in 2019
○ CVSS v4.0 released November 2023
4. Principles of CVSS (v3.1)
Source: https://www.first.org/cvss/v3.1/specification-document
While FIRST owns all right and interest in CVSS, it licenses it to the public freely for use, subject to the conditions below. Membership
in FIRST is not required to use or implement CVSS. FIRST does, however, require that any individual or entity using CVSS give proper
attribution, where applicable, that CVSS is owned by FIRST and used by permission. Further, FIRST requires as a condition of use that
any individual or entity which publishes scores conforms to the guidelines described in this document and provides both the score
and the scoring vector so others can understand how the score was derived.
5. Principles of CVSS (here version 3.1)
Source: https://www.first.org/cvss/v3.1/specification-document
While FIRST owns all right and interest in CVSS, it licenses it to the public freely for use, subject to the conditions below. Membership
in FIRST is not required to use or implement CVSS. FIRST does, however, require that any individual or entity using CVSS give proper
attribution, where applicable, that CVSS is owned by FIRST and used by permission. Further, FIRST requires as a condition of use that
any individual or entity which publishes scores conforms to the guidelines described in this document and provides both the score
and the scoring vector so others can understand how the score was derived.
6. Why is this useful?
Up-to-Date Knowledge
Operational Context
/ Deployment
Initial CVSS
Vector
Vulnerable
Software
Vulnerable
Software
Initial CVSS
Vector
Temporal
Information
Vulnerable
Software
Initial CVSS
Vector
Temporal
Information
Environmental
Information
7. Initial CVSS
Vector
Initial CVSS
Vector
Temporal
Information
Environmental
Information
Initial Score Context Score
The Context Score is a
contextualized rescoring of
the vulnerability…
It represents the severity in
the given specific context!
Why is this useful?
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
10.0 CRITICAL
CVSS:3.1/E:H/RL:U/RC:C
CVSS:3.1/MAV:A/MAC:L/MPR:L
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
9.1 CRITICAL
9. Issues / Limits of “official” CVSS Calculators
• Only one CVSS vector of specific version at a time.
• No qualitative comparison of score metrics.
• Linking to calcluators with CVSS vector as parameter not supporting all cases.
Different situations require different calcluators.
• Different usage patterns and visualization.
• NIST and First non-responsive regarding online calculator issues and support.
• Extraction of modification vector not a directly supported use case.
Insufficent, when contextualization is a fundamental discipline during vulnerability assessment.
10. One online CVSS Calculator to rule them all ;)
https://metaeffekt.com/security/cvss/calculator
11. Why the fuzz?
• Dealing with many
vulnerabilites.
• Automated initial pre-
assessment / adjustment.
• Embrace CVSS rescoring als
core concept.
• Focus on priorities.
• Overcome simple
vulnerability listing. Assess!
• Monitor!
13. Yet more?
• Vulnerability assessment requires guidance beyond the CVSS specification / ISO/IEC 18974:2023:
We currently outline and apply an incremental risk-driven approach with 8 increments / practices.
• Starting is hard…
• Creating qualified, comprehensive SBOM
• Defining Scope of Assessment / Availability of Data
• Context Elaboration
• Imprecise Contractual Obligations
• Vulnerability Correlation / Heterogenous Vulnerability Data Source / Philosophies
• Getting control over significant numbers of identified vulnerabilities
• Customer Liaison / Communication
ISO/IEC 18974:2023 is a very good starting point!
15. Please Note:
● The OpenChain Project Meeting and Presentation Template contains the
OpenChain trademark and can only be used for matters related to
OpenChain Project activities. This template also contains The Linux
Foundation trademarked logo. The Linux Foundation trademark policy can
be found here:
https://www.linuxfoundation.org/legal/trademark-usage
● If you want to use the OpenChain trademark for commercial activities
please join the OpenChain Partner Program:
https://www.openchainproject.org/partners
Editor's Notes
To verify 4.0 is not yet in use by NVD query the latest entries:
https://nvd.nist.gov/vuln/search/results?isCpeNameSearch=false&query=2024&results_type=overview&form_type=Basic&search_type=all&startIndex=0
Demo Outline:
Start with loaded examples to explain overall structure
Start with a new and empty CVSS v3.1 vector
Fill base
Clone
Adjust
Compare
Show Log4Shell
Query from NVD
Remove 2.0 vector
Clone 3.1 vector
Adjust
Compare
Dice a 4.0 Vector and show factors
Examples to show:
Example dashboard
HTTPD/OpenSSL Dashboard
Windows 11 Dashboard
Keycloak Dashboard