This discussion is about the new draft of CVSS (Common Vulnerability Scoring System) 4.0. CVSS has become a standard method used across the industry for assessing the severity of security vulnerabilities. The aim of the upgrades from the older 3.1 version to the new CVSS 4.0 is to provide clarity and facilitate easier information exchange when identifying the severity of a vulnerability, thus aiding the vulnerability response process. Matthew Coles highlighted that 4.0 now supports separate sets of metrics for vulnerable and impacted systems, introducing scope changes that provide clearer identification of impact levels on different systems involved. This, in turn, leads to a more detailed severity rating. Listeners can participate in the open commentary period to provide feedback to improve the new CVSS 4.0 draft.
00:00 Vulnerability Prioritization: Looking at CVSSv4
01:52 Public preview period for CVSS v4
02:57 How is CVSS v4 different ?
06:19 CVSS expresses both a number and a vector!
08:42 Who should use CVSS ?
10:52 Adjusting the released CVSS score according to your environment
11:54 CVSS is a severity scoring system, NOT a risk scoring system
14:18 The uses of temporal and environmental scores
16:19 Adding context to CVSS using runtime information: the Datadog example
28:02 The log4shell example
35:11 Applying CVSS v4 to log4shell
コメント