[VIM] Linking third-party CVSS scores through CVEs (was: "CVENEW" messages to be posted to VIM during NVD outage)

Noam Rathaus noamr at beyondsecurity.com
Thu Mar 14 13:49:18 CDT 2013


I am all into having one source for all the CVSS scores for CVEs, but when
this one source doesn't have a fall-back plan or a backup site, it kinda
makes things difficult to stick around to it.

If you have any alternative or method of still matching CVSS and CVEs
without going to some other source beside NVD I will be happy to hear about

On Thu, Mar 14, 2013 at 7:53 PM, Christey, Steven M. <coley at mitre.org>wrote:

> People who are considering linking from CVEs to CVSS scores using non-NVD
> external sources should note two things:
> 1) The CVSS scores from other sources may be inconsistent with those of
> NVD, so those who have "standardized" on NVD-based CVSS scores will need to
> take this into account; when they go back to NVD-based scores, this may
> cause some sudden changes to trends and statistical analyses.  This is
> unavoidable but something to be aware of (while CVSS strives for
> consistency, variation still occurs in the real world.)
> 2) CVSS scores might be over-estimated in some cases if a source "counts"
> vulnerabilities differently than CVE does.  Some external sources might
> combine multiple CVEs into a single record, but have only a single CVSS
> score for that record (probably the maximum score of the worst
> vulnerability).  If such a source is used, then CVSS scores for a single
> CVE might be over-estimated.  For example, suppose CVE-1 has a CVSS score
> of 4.0, and CVE-2 has a CVSS score of 8.0 (ignoring variations in how
> people do CVSS scoring).  If there is a source with a record X that
> combines CVE-1 and CVE-2, but X only uses the single rollup score of 8.0,
> then linking from CVE-1 through X could make it appear that CVE-1 has a
> score of 8.0.  As a result, you should consider the abstraction (counting
> methodology) that is used by whichever source is adopted.  If you want
> greater precision, then you would want a source whose records rarely map to
> more than one CVE.  This should be fairly easy to spot by seeing how vendor
> advisories such as Microsoft, Cisco, and Red Hat are represented in the
> source; these vendors (and many others) typically map to more than one CVE,
> but might only be captured as a single record.
> - Steve

Noam Rathaus
Beyond Security
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.attrition.org/pipermail/vim/attachments/20130314/b65af289/attachment.html>

More information about the VIM mailing list