Secunia Research inception of CVSS3 scoring

Secunia Research inception of CVSS3 scoring

Summary

The Software Vulnerability Research and the SVM solutions have introduced CVSS3 scoring after the inception of CVSS3 by the Secunia Research team at Flexera. 

Synopsis

This change was done for the following product: Software Vulnerability Manager

Implementation Date: May 18th, 2018

In addition to our own Secunia advisory criticality rating, Flexera scores vulnerability advisories using the industry-standard Common Vulnerability Scoring System (CVSS).

Previously, this has been done using the version 2.0 standard. Beginning on 5/18/2018, Secunia Research at Flexera began using the newer version 3.0 standard.

Older scores have not been updated retroactively. All new advisories issued after this date using CVSS v3.0 are being tracked now.

This was implemented in two phases. First, on 4/25, we introduced updates to Software Vulnerability Manager so it's capable of handling CVSS v3.0.

Secondly, on 5/18, Secunia Research began recording CVSS scores using the version 3.0 standard.

Discussion

In the User Interface

Flexera now identifies v3.0 scores by indicating "v3" alongside the score in green.

User-added image

In the API

All API calls returning CVSS data began returning the second set of values for CVSS v3.0 to differentiate between CVSS v2.0 and CVSS v3.0 scores.

After the inception of CVSS v3.0 scores, the previous CVSS value was replaced with a blank ( -eq $Null) and the correct value that should be tracked going forward is, therefore, CVSS v3.0.

The label CVSS Score represents CVSS v2.0 (it was not renamed to avoid breaking existing scripts).
New CVSS 3.0 values are now represented as cvss3_score.

User-added image
In the XML

A change to the schema was necessary to add specific values for CVSS v3.0 scores. As with the JSON API values above, we added a cvss3 label to distinguish v3.0 scores. If any scripts or processes consuming this data parse this information, there is potential for a breaking change to result.


User-added image
In Email Notifications

Emails will contain both v2.0 and v3.0 labels, the v3.0 value will be empty until we begin adding v3.0 scores, at this time the v2.0 value will become empty.

User-added image
In PDF reports

PDF reports containing CVSS values will show CVSS v2.0 (displayed as CVSS) or CVSS v3.0 (displayed as CVSS3) as appropriate.

User-added image

 

For more on CVSS see https://nvd.nist.gov/vuln-metrics/cvss

 

Was this article helpful? Yes No
No ratings
Version history
Revision #:
4 of 4
Last update:
‎Sep 27, 2019 03:41 PM
Updated by: