CVSS v3 as vulnerability assessment scale for 2.x
Currently the assessment of MyBB vulnerabilities is being performed without basing on a strict model and the scale description is not accessible publicly - aiming for better credibility and organization, the MyBB Group should introduce both.
Adopt the Common Vulnerability Scoring System v3.0 (https://en.wikipedia.org/wiki/CVSS) as the software security vulnerability risk assessment scale for MyBB 2.x.
CVSS is a technical standard that provides comprehensible and consistent risk scale of security vulnerabilities and helps further task prioritization in third party organizations.
The CVSS-based scale comprises of 8 base metrics:
- Exploitability Metrics
- Attack Vector (AV)
- Attack Complexity (AC)
- Privileges Required (PR)
- User Interaction (UI)
- Scope (S)
- Impact Metrics
- Confidentiality (C)
- Integrity (I)
- Availability (A)
Combined, they give a CVSS score varying from 0 to 10, rounded up to one decimal place. The scores can represented in text form (None, Low, Medium, High, Critical).
Additional factors can be included in order to account for exploitability at a given point of time and organization-specific environment.
The score can be computed using existing calculators, such as: https://www.first.org/cvss/calculator/3.0.
Effects & Implications
Each vulnerability fixed in a release will be listed in the corresponding release notes along with its CVSS score and vector string containing values assigned to each metric.
- First draft: 17 Nov 2015
- Author(s): Devilshakerz
- Status: Accepted
|Voting started||Voting ended||Quorum||Yes||No||Abstain|
|2 Dec 2015||16 Dec 2015||11||9||0||3|