RFC Documents

Accepted MyBB RFC documents and the Request For Comments process.

CVSS v3 as vulnerability assessment scale for 2.x

Abstract

Currently the assessment of MyBB vulnerabilities is being performed without basing on a strict model and the scale description is not accessible publicly - aiming for better credibility and organization, the MyBB Group should introduce both.

Proposal

Adopt the Common Vulnerability Scoring System v3.0 (https://en.wikipedia.org/wiki/CVSS) as the software security vulnerability risk assessment scale for MyBB 2.x.

Justification

CVSS is a technical standard that provides comprehensible and consistent risk scale of security vulnerabilities and helps further task prioritization in third party organizations.

The CVSS-based scale comprises of 8 base metrics:

  • Exploitability Metrics
    • Attack Vector (AV)
    • Attack Complexity (AC)
    • Privileges Required (PR)
    • User Interaction (UI)
  • Scope (S)
  • Impact Metrics
    • Confidentiality (C)
    • Integrity (I)
    • Availability (A)

Combined, they give a CVSS score varying from 0 to 10, rounded up to one decimal place. The scores can represented in text form (None, Low, Medium, High, Critical).

Additional factors can be included in order to account for exploitability at a given point of time and organization-specific environment.

The score can be computed using existing calculators, such as: https://www.first.org/cvss/calculator/3.0.

Effects & Implications

Each vulnerability fixed in a release will be listed in the corresponding release notes along with its CVSS score and vector string containing values assigned to each metric.


Metadata

  • First draft: 17 Nov 2015
  • Author(s): Devilshakerz
  • Status: Accepted
Voting started Voting ended Quorum Yes No Abstain
2 Dec 2015 16 Dec 2015 11 9 0 3