CVSS Temporal/Environmental Metrics

[rybaz]

First off, we are loving the new CVSS additions for findings. It makes it a lot easier to start with a baseline severity and just adjust if needed once we've a finding into a report.

Temporal and environmental metrics would be useful once a finding has actually been moved into a report so we can tailor the severity of a specific finding to match the environment we were in. Our CVSS rankings are our basis for defending (in the unfortunate circumstance where we have to) our severity rankings, and the discussion usually shifts to environmental metrics if any changes need to be made. We can make these on the fly, but having them included in Ghostwriter would be incredibly convenient.

Thanks for all the hard work you do for the underdogs!

[chrismaddalena]

I'm unfamiliar with temporal and environmental metrics for CVSS, but I did some light reading and it sounds like you want support for CVSS v3.1.

This seems doable but might take more work than it seems. Ghostwriter uses FIRST's calculator for CVSS 3.0. It looks like environmental and temporal metrics are in v3.1. There are some docs for a v3.1 calculator. We might be able to switch to the updated calculator and be good. I'll need to read the docs and test it.

If that sounds like what you need, I'll look into it. I might not be able to dig into it for a little bit. I'll be traveling and present at Black Hat USA, so I probably won't be working on anything except minor hotfixes until after BHUSA in August.

[rybaz]

Either way would work for me - if the 3.1 calc contains the extra scoring automatically, that's perfect.

Wish I has going to Blackhat. Have fun!